Skills
skills/yonatangross/orchestkit/notebooklm/Gen Agent Trust Hub

notebooklm

Pass

Audited by Gen Agent Trust Hub on May 1, 2026

Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill includes prescriptive instructions labeled as mandatory for task management, which attempts to constrain the agent's operational autonomy and workflow ordering.\n- [PROMPT_INJECTION]: Indirect prompt injection surface identified:\n
  • Ingestion points: The source_add tool and research_start functionality (found in SKILL.md and rules/workflow-research-discovery.md) ingest untrusted data from URLs, YouTube, Google Drive, and local files.\n
  • Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the notebook_query tool patterns.\n
  • Capability inventory: The skill environment permits high-impact tools including Bash, Write, and Edit.\n
  • Sanitization: There is no evidence of input validation or content sanitization before external data is processed by the RAG engine.\n- [DATA_EXFILTRATION]: The source_add tool allows the agent to read local files and upload them to the NotebookLM service. This capability could be exploited to exfiltrate sensitive local data, such as configuration files or credentials, if the agent is tricked by a user or an indirect injection.\n- [COMMAND_EXECUTION]: The skill utilizes the Bash tool for environment setup, package management, and authentication workflows.\n- [EXTERNAL_DOWNLOADS]: The skill provides instructions for the installation of the notebooklm-mcp-cli package from PyPI, which is a well-known public package registry.
Audit Metadata
Risk Level
SAFE
Analyzed
May 1, 2026, 11:35 AM