ClawHub

Notebook Lmskill@1.0.0

Security checks across malware telemetry and agentic risk

Overview

The skill largely matches its NotebookLM purpose, but needs review because it stores reusable Google session state, installs browser automation automatically, uses stealth-like browser settings, and has misleading download/help links.

Install only if you are comfortable with a local skill that installs Python packages and browser binaries, automates a logged-in Google session, stores reusable session cookies on disk, and may send your questions and notebook context to NotebookLM. Use a dedicated low-risk Google account, avoid the raw ZIP links unless independently verified, protect or delete browser_state/state.json when done, and do not use account rotation to bypass service limits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (39)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
pip_exe = venv_dir / "bin" / "pip"

            print("   Installing dependencies in isolated environment...")
            subprocess.run(
                [str(pip_exe), "install", "-q", "-r", str(requirements_file)],
                check=True
            )
Confidence
89% confidence
Finding
subprocess.run( [str(pip_exe), "install", "-q", "-r", str(requirements_file)], check=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
else:
                python_exe = venv_dir / "bin" / "python"

            subprocess.run(
                [str(python_exe), "-m", "patchright", "install", "chromium"],
                check=True,
                capture_output=True
Confidence
91% confidence
Finding
subprocess.run( [str(python_exe), "-m", "patchright", "install", "chromium"], check=True, capture_output=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
)

                # Install requirements
                result = subprocess.run(
                    [str(self.venv_pip), "install", "-r", str(self.requirements_file)],
                    check=True,
                    capture_output=True,
Confidence
89% confidence
Finding
result = subprocess.run( [str(self.venv_pip), "install", "-r", str(self.requirements_file)], check=True, capture_output=True

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# See: https://github.com/Kaliiiiiiiiii-Vinyzu/patchright-python#anti-detection
                print("🌐 Installing Google Chrome for Patchright...")
                try:
                    subprocess.run(
                        [str(self.venv_python), "-m", "patchright", "install", "chrome"],
                        check=True,
                        capture_output=True,
Confidence
97% confidence
Finding
subprocess.run( [str(self.venv_python), "-m", "patchright", "install", "chrome"], check=True, capture_output

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs the agent to run shell commands, create virtual environments, install dependencies, and read/write local files, yet it declares no permissions. This creates a dangerous transparency gap: a user or platform may not realize the skill can execute code and persist data locally, increasing the chance of unintended command execution and exposure of local state.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The README disguises a direct ZIP download as a GitHub Releases page, which can trick users into downloading and executing unreviewed software under the false impression that they are visiting a standard project distribution page. In a skill that advertises browser automation and persistent authentication to a Google account, deceptive download links materially increase the risk of credential theft or malware installation.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The README tells users to visit a Releases page and select the correct build for their operating system, but the link sends them straight to a single ZIP file instead. This mismatch is deceptive and bypasses the normal trust signals users expect from browsing a release page, increasing the chance they will download a payload without scrutiny.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
Pointing the issues page, wiki, and contributing guidelines to the same ZIP download is a strong deception indicator because it misrepresents support/documentation resources as downloads. This can funnel users repeatedly into downloading or opening a binary/archive when they are seeking help or documentation, which is especially dangerous for a tool requesting ongoing authenticated access to Google services.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documentation says each question uses a fresh browser session that closes, but elsewhere states that authentication and browser session state are stored persistently. That inconsistency can mislead users about privacy and session isolation, causing them to assume less residual state exists than is actually retained.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The documentation explicitly recommends switching between multiple Google accounts to work around rate limits. That guidance can encourage policy evasion and misuse of third-party service controls, increasing organizational compliance and account-abuse risk in a skill whose primary purpose is notebook querying.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The troubleshooting guide documents capabilities to switch accounts and manage notebooks, which goes beyond the stated query-only purpose and indicates the skill has broader operational control than advertised. This mismatch increases risk because users may authorize or run account and content-management actions they did not expect from a querying skill.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The guide explicitly recommends switching and rotating multiple accounts to bypass NotebookLM rate limits. That is a policy-evasion pattern, and in practice it encourages abuse of external service controls and increases the chance of account lockouts, ToS violations, or automated misuse at scale.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The documentation instructs users to kill browser processes and perform cleanup operations that affect the local system, even though the skill is presented as a NotebookLM query tool. These operations are broader than necessary and can disrupt unrelated user sessions or other applications using the same browser.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The statement that the skill 'Only accesses NotebookLM' is contradicted by the same document's instructions for process killing, local file deletion, environment recreation, account switching, and browser/profile manipulation. Misleading safety claims reduce user caution and can cause users to consent to riskier behavior than they understand.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Importing the scripts package automatically creates a virtual environment and installs dependencies/browser binaries, which is a significant side effect unrelated to merely loading code. In the context of an agent skill, this is more dangerous because simply importing the module can alter the host environment, trigger network activity, and execute third-party install logic without an explicit setup boundary.

Description-Behavior Mismatch

Low
Confidence
95% confidence
Finding
The function returns NotebookLM output with an additional hidden instruction-like suffix that is not part of the upstream answer. This alters tool output semantics and can manipulate downstream agent behavior, causing the caller to treat injected guidance as source-grounded content from NotebookLM.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script deliberately uses stealth tactics such as removing automation indicators, spoofing a user agent, and disabling browser automation signals. In a browser-automation skill, this increases risk because it is designed to evade platform detection and policy controls, which can facilitate unauthorized or less accountable automated access if reused in other contexts.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The authentication flow deliberately configures anti-detection browser evasion features such as removing automation flags, spoofing a user agent, and disabling Blink automation indicators. For a local auth helper, this exceeds what is necessary for normal NotebookLM access and can conceal automated behavior from Google's abuse or bot-detection controls, which increases security and policy risk if reused or extended for unauthorized automation.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code deliberately implements anti-detection browser automation patterns such as randomized delays, human-like typing, mouse movement simulation, and 'realistic' clicks. In a skill whose stated purpose is only querying NotebookLM, this exceeds straightforward automation and can be used to evade bot-detection or platform safeguards, increasing abuse potential and policy/compliance risk.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The file implements persistent local state management for adding, updating, removing, activating, and tracking notebooks, which materially exceeds the skill's stated query-focused behavior. In an agent skill context, undisclosed data creation and modification increases risk because users may invoke the skill expecting read/query operations while it silently persists and mutates local metadata.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The remove_notebook path deletes entries from persistent storage and immediately rewrites the library file, but the skill description does not communicate destructive local state changes. In a tool used by an agent, this can lead to unintended data loss if the capability is triggered by misunderstanding, prompt confusion, or indirect instruction.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code comments state that real Chrome is installed for 'consistent browser fingerprinting' and cite anti-detection guidance. That intent is not justified by the skill's described notebook-query purpose and materially increases concern that the skill is designed to evade service protections or perform stealth automation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation explicitly instructs saving full authenticated browser state, including session cookies, to `state.json` on disk but does not warn that this file is highly sensitive and effectively equivalent to account access while valid. In the context of a browser-automation skill for Google NotebookLM, this increases the chance that users store reusable auth material insecurely, enabling session hijacking if the file is copied, backed up, or exposed to other local processes.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The runtime flow restores authenticated sessions automatically by loading cookies from `state.json` into the browser context, but the documentation does not clearly warn users that prior Google sessions will silently resume. In this skill's context, that behavior can surprise users, reduce informed consent, and make misuse easier on shared machines or multi-user environments where residual state triggers unintended access to NotebookLM data.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README promotes persistent authentication and instructs users to log into their Google account, but provides no disclosure about how credentials, session cookies, tokens, or notebook data are stored, protected, or revoked. In the context of browser automation against a Google service, omission of these privacy and credential-handling details can lead users to expose sensitive account access without informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal