Skillv2.0.0

ClawScan security

NotebookLM Distiller · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 9, 2026, 1:57 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely does what it advertises (extract NotebookLM content into Obsidian) but contains a few incoherences and behaviors that warrant caution before installing or running it on sensitive data or an important vault.
Guidance: This skill appears to implement the described NotebookLM→Obsidian features, but proceed carefully: 1) Review scripts/distill.py locally before enabling — it runs shell commands and writes files. 2) Use a temporary or backup Obsidian vault for first runs to confirm outputs and avoid accidental overwrites. 3) Be aware it requires you to authenticate NotebookLM (notebooklm login creates ~/.book_client_session) and may push distilled notes back into your NotebookLM if you use --writeback. 4) Consider disabling automatic triggers or requiring explicit confirmation before execution (the SKILL.md's 'do NOT ask for clarification' rule is risky). 5) If you use DeepReader integration, verify you trust that other skill because the orchestration can chain actions across skills. If you want, I can point out exact lines in scripts/distill.py to review or produce a safe checklist to sandbox the skill.

Review Dimensions

Purpose & Capability: noteName/description match the code and required binaries: python3 + notebooklm CLI are reasonable for a NotebookLM→Obsidian distiller. Minor metadata mismatch: registry says 'no install spec' but SKILL.md includes an install recommendation (pip: notebooklm-py). Otherwise the requested tools and files (notebooklm CLI, optional DeepReader integration) are proportionate to the stated purpose.
Instruction Scope: concernSKILL.md instructs the agent to immediately execute subcommands on trigger phrases and explicitly says 'Do NOT ask for clarification. Execute the appropriate subcommand immediately.' That grants the agent broad discretion and could cause unconfirmed writes. The skill also describes an orchestration path that may call DeepReader (another skill) and instructs running external commands (notebooklm ask --new, notebooklm source add). The script writes files into user-supplied vault paths (including arbitrary --path for persist), so unintended writes / overwrites are possible if triggers are imprecise.
Install Mechanism: noteNo installer in the registry (instruction-only) — lowest risk — but SKILL.md recommends 'pip install notebooklm-py' and requirements.txt lists notebooklm-py, which is consistent. There are no downloads from untrusted URLs or extractable archives in the package. The small inconsistency between registry install metadata and SKILL.md should be clarified, but the actual install steps are standard (pip).
Credentials: noteThe skill declares no required environment variables and needs only the notebooklm CLI + Python, which fits the purpose. In practice it relies on you running 'notebooklm login' (creates ~/.book_client_session) and will therefore use your Google-linked NotebookLM account — that is expected but is sensitive. It may also consult a DeepReader path under ~/.openclaw if present. No unrelated credentials are requested by the skill itself.
Persistence & Privilege: notealways:false and no system-wide config changes are requested, which is appropriate. However the skill is explicitly capable of writing files into arbitrary directories you point it at (the --vault-dir and --path options) and also offers a --writeback option to push notes back into NotebookLM. That write capability is necessary for the feature but increases risk if triggers run without explicit user confirmation.