notebooklm

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). This skill explicitly ingests and acts on arbitrary web and Drive content (e.g., SKILL.md and rules/workflow-research-discovery.md instruct using research_start to search the web/Drive, source_add(type="url") to add public URLs, research_import to ingest discovered sources, and notebook_query/studio_create to generate actions), so untrusted third‑party pages can be read and materially influence tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly fetches arbitrary web URLs at runtime and injects them as notebook sources (e.g., source_add(..., url="https://oauth.net/2.1/")), which are used to ground model responses and are required for certain operations (e.g., studio_create requires at least one source), so remote content can directly control prompts and pose a prompt-injection risk.