notebooklm-federated-specs

Pass

Audited by Gen Agent Trust Hub on Apr 8, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill facilitates an indirect prompt injection attack surface (Category 8). It is designed to ingest external data from arbitrary URLs and local files into NotebookLM notebooks, which then serve as a primary context source for the AI agent. Maliciously crafted instructions within these external sources could potentially manipulate the agent's behavior during subsequent queries.
  • Ingestion points: scripts/research-question.sh accepts external URLs as sources; scripts/merge-specs.sh aggregates local markdown files.
  • Boundary markers: The skill uses simple filename headers (e.g., === {filename} ===) but does not include explicit instructions to ignore embedded commands or system instructions within the imported text.
  • Capability inventory: The skill contains several bash scripts executing CLI tools (nlm, jq, stat) and implements MCP tool integration for notebook creation, artifact generation (audio/video), and public sharing.
  • Sanitization: No sanitization, validation, or filtering is performed on the content imported from external URLs or project files before it is processed by the agent.
  • [COMMAND_EXECUTION]: The skill relies on a collection of shell scripts in the scripts/ directory to automate interactions with the nlm (NotebookLM MCP) CLI. These scripts process user-provided inputs such as notebook titles, research questions, and file paths. While variables are generally double-quoted in the scripts, this extensive shell scripting surface increases the risk of command injection if the agent is instructed to execute these scripts with malicious payloads in the argument fields.
  • [EXTERNAL_DOWNLOADS]: Through the research-question.sh script and the notebooklm_source_add MCP tool integration, the skill enables the retrieval of content from arbitrary remote URLs. While the actual download is delegated to the NotebookLM service, the skill provides the mechanism for the agent to incorporate untrusted remote data into its knowledge base.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 8, 2026, 02:45 PM
Security Audit — agent-trust-hub — notebooklm-federated-specs