ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Notebook Lmskill@1.0.0

v1.0.0

Use this skill to query your Google NotebookLM notebooks directly from Claude Code for source-grounded, citation-backed answers from Gemini. Browser automati...

0· 85·1 current·1 all-time
by@1215656
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the code: the skill uses Playwright (via patchright) to open NotebookLM, query notebooks, and persist cookie/profile state. Requiring persistent browser profiles and session cookie handling is coherent with the stated goal of maintaining logged-in access to NotebookLM. However, the code also includes anti-detection measures (stealth/automation avoidance flags) and explicit cookie injection logic that are not strictly required by a naive 'read notebook' helper and are notable because they change how the browser is presented to Google.
!
Instruction Scope
SKILL.md and scripts instruct the agent (or user) to: open a visible browser for login, save and later inject state.json session cookies, always run commands via a run.py wrapper that creates a .venv and installs dependencies, and perform 'smart discovery' queries of a notebook's contents when metadata is missing. The instructions therefore grant the code routine access to local files and to the full contents of user notebooks (expected) but also direct the agent to repeatedly re-query notebooks (follow-up loop). The follow-up mechanism explicitly instructs autonomous repeated queries until 'complete', which could lead to repeated access/use without a clear user confirmation step.
Install Mechanism
No registry-level install spec is provided, but run.py will create a local .venv and pip-install dependencies from requirements.txt (patchright, python-dotenv). patchright is an anti-detection Playwright wrapper and may be used to install or manage Chrome; that implies network downloads and installation of a browser binary. There is no explicit signed or well-known release URL in the skill manifest; the README links (raw GitHub zip link) look malformed. Installing patchright and using it to fetch Chrome is a higher-friction, higher-risk operation than a pure API-only integration.
Credentials
The skill declares no required environment variables or external credentials, yet it persistently stores and later injects Google authentication cookies (state.json and a Chrome user profile) under ~/.claude/skills/notebooklm/data/. That is proportional to the functionality (it must authenticate to NotebookLM), but these artifacts are highly sensitive (session cookies can grant access to the linked Google account). The documentation also recommends using a dedicated Google account and even suggests 'less secure app' settings; those recommendations are concerning from a security posture perspective.
Persistence & Privilege
The skill does not request always: true and is user-invocable; it stores data under a skill-local directory (~/.claude/skills/notebooklm/data/) and creates a local .venv. Those behaviors are typical for a local automation tool and are not an elevated platform privilege. The follow-up automation pattern (agent-initiated repeated queries) increases operational activity but is not a platform-level persistence flag.
What to consider before installing
This skill appears to do what it says (automated browser access to your NotebookLM notebooks), but it uses several sensitive/ unusual techniques. It will: create a local virtualenv and install dependencies (patchright), download or manage a Chrome binary (network activity), open a visible browser for login and persist your Google cookies and profile under ~/.claude/skills/notebooklm/data/, and inject session cookies back into browser sessions. Before installing or using it consider: 1) Only use with a dedicated Google account (do not use your primary account). 2) Inspect run.py and auth_manager.py yourself (or have a trusted developer do so) to verify they do nothing beyond the documented cookie/profile handling. 3) Backup and/or review the state.json and browser_profile files and be prepared to delete them if you revoke access. 4) Be cautious about the anti-detection flags and the 'less secure app' instructions in docs — they can enable more stealthy browser behavior and reduce account security. 5) Prefer code from a known, trusted publisher; if provenance cannot be verified, avoid storing sensitive account cookies with this skill. If you want higher assurance, ask the publisher for a signed release or replace patchright with an audited Playwright installation and remove any unnecessary stealth flags.

Like a lobster shell, security has layers — review code before you run it.

latestvk979dd0hxd15x2g5yfp0pkpsm583k63j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments