ClawHub

NotebookLM Distiller

Security checks across malware telemetry and agentic risk

Overview

This skill matches its stated NotebookLM-to-Obsidian purpose, but it needs review because it can create NotebookLM resources and write or overwrite local notes without strong confirmation or path safeguards.

Install only if you intentionally want this skill to use your NotebookLM login and write Markdown files into a chosen vault. Before running side-effecting commands, confirm the Google account, notebook or topic, vault directory, exact output path, and whether --writeback is desired; avoid using it on sensitive content until path containment, overwrite protection, and confirmation safeguards are added.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The public description understates several operational behaviors: quiz generation, answer evaluation, and especially writing content back into NotebookLM as new sources. That mismatch can defeat user expectations and downstream policy checks, increasing the chance that users authorize the skill without understanding all data flows and persistence actions.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The natural-language trigger examples are broad enough that an agent may invoke this skill on loosely related requests without clear user confirmation, especially for actions that create notebooks or write files. In an agentic environment, vague activation criteria increase the risk of unintended file writes, unwanted external research actions, or over-broad access to a user's knowledge base.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README advertises writing arbitrary Markdown directly into an Obsidian vault but does not prominently warn that this modifies local files and can overwrite or create content in sensitive user directories. In an agent-driven workflow, this can lead to unintended persistence of untrusted or incorrect content and possible corruption of a user's notes if path handling is not tightly constrained.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
README 明确宣传 `persist` 可将任意 Markdown 直接写入 Obsidian vault,但未充分警示这是对用户本地知识库的直接文件修改能力。对 agent 场景而言,这会降低操作者警觉性:一旦上游提示、网页内容或对话内容被不安全地传入 `--path` / `--content`,就可能导致意外覆盖笔记、植入误导内容,甚至写入可被其他插件或自动化流程继续消费的恶意 Markdown。

Vague Triggers

Medium
Confidence
86% confidence
Finding
The research trigger is broad enough to match ordinary conversational requests like 'research this topic,' causing the skill to launch web research sessions immediately. Because the skill also instructs the agent to avoid clarification and execute at once, benign discussion could trigger external actions, notebook creation, and data acquisition without sufficiently explicit user consent.

Vague Triggers

High
Confidence
95% confidence
Finding
The persist triggers are highly ambiguous and map common phrases such as 'store this to Obsidian' directly to filesystem writes. In a skill with `write` and `bash` access, that creates a real risk of unintended persistence of sensitive conversation content or attacker-influenced markdown into the user's vault without a narrowly scoped confirmation or path validation step.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The instructions document direct vault writes and optional writeback into NotebookLM but do not prominently warn users that these are persistent side effects affecting local knowledge stores and external notebook content. Lack of a clear warning increases the likelihood of accidental disclosure, contamination of notes, or unwanted retention of generated or sensitive material.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The persist subcommand allows arbitrary user-supplied relative paths to be joined with the vault directory and written without normalization or boundary enforcement. An attacker or confused caller can supply paths like ../../outside.txt or overwrite existing vault files, causing unauthorized file modification outside the intended Obsidian area.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The test case instructs users to run a `research` command that creates a new NotebookLM notebook via network-backed research, but it provides no warning that the action may transmit topic data to an external service and will modify the user's account state by creating persistent resources. Even in test documentation, undisclosed external calls and account-side changes are risky because users may execute them in real environments without understanding privacy, cost, or data-governance implications.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal