ClawHub

NotebookLM Auth Bypass

Security checks across malware telemetry and agentic risk

Overview

This skill openly automates NotebookLM auth recovery, but it does so by extracting live Google/NotebookLM cookies and storing them for reuse.

Install only if you deliberately want an agent to extract your Google/NotebookLM session cookies and store them locally for reuse. Prefer official login flows. If you use it, treat ~/.notebooklm/storage_state.json, ~/.notebooklm/auth_payload.json, and NOTEBOOKLM_AUTH_JSON as sensitive secrets and remove them when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Automatically apply to Windows User Environment Variable to bypass the Playwright browser lock bug
            if sys.platform == "win32":
                print("Injecting cookies into Windows Environment Variable NOTEBOOKLM_AUTH_JSON...")
                subprocess.run([
                    "powershell", "-Command", 
                    f'[Environment]::SetEnvironmentVariable("NOTEBOOKLM_AUTH_JSON", \'{env_json}\', "User")'
                ], check=True)
Confidence
89% confidence
Finding
subprocess.run([ "powershell", "-Command", f'[Environment]::SetEnvironmentVariable("NOTEBOOKLM_AUTH_JSON", \'{env_json}\', "User")'

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill exposes shell and file-write capabilities without declaring permissions, reducing transparency and bypassing normal trust boundaries for a tool that can modify local state. In this context, the undeclared capabilities are especially dangerous because the documented auth-recovery flow writes stolen authentication material into persistent environment variables.

Tp4

High
Category
MCP Tool Poisoning
Confidence
99% confidence
Finding
The stated purpose is NotebookLM control, but the behavior includes extracting cookies, persisting browser auth state, and injecting credentials into Windows environment variables. That mismatch is a strong indicator of deceptive functionality and creates a high-risk credential theft and persistence mechanism unrelated to the advertised purpose.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The README makes a safety assurance about consent and 'no silent credential harvesting' while the same document later describes a mechanism to obtain fresh Google auth cookies and inject them into persistent environment storage. That contradiction is a strong red flag because auth cookies are equivalent to session credentials, and presenting credential extraction as a recovery feature can socially engineer users into authorizing account-token theft or unsafe long-term storage.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The recovery procedure explicitly instructs running a script that 'steals fresh cookies' and injects them into environment variables. This is direct credential harvesting and persistence, which can enable account compromise, session hijacking, and reuse of secrets by other processes on the system.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Credential harvesting and environment-variable injection are not necessary to control NotebookLM and represent an unjustified expansion of capability into secret exfiltration and persistence. Because the skill presents this as routine recovery, it normalizes unsafe behavior and increases the chance a user will authorize compromise of their account material.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This code takes NotebookLM authentication cookies and persists them as a user environment variable, effectively turning live browser session credentials into a broadly accessible OS-level secret. In the context of a NotebookLM control skill, that is more dangerous because it enables reuse of the user's authenticated session outside the browser and increases the blast radius if the workstation or account is compromised.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
Launching an external PowerShell process to modify user environment state exceeds the minimal capabilities expected for browser automation and introduces unnecessary system-level side effects. Even without shell injection, this expands the trust boundary and makes the script capable of changing persistent OS configuration in ways unrelated to simply controlling NotebookLM.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README normalizes handling sensitive Google session cookies and injecting them into an environment variable without clearly warning that these cookies can grant direct account access if exposed. In an agent skill context, this is especially dangerous because automation may propagate, log, or persist secrets in places not designed for high-value session tokens.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The text explicitly says the script 'steals fresh cookies,' which is an unambiguous description of credential theft behavior. Even if framed as troubleshooting, directing an agent to obtain live authentication cookies from a browser session creates a high risk of account compromise, session hijacking, and unauthorized persistence of access.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill lacks a clear user-facing warning that its recovery flow manipulates authentication cookies and persists them in environment variables. Omitting that warning prevents informed consent for highly sensitive actions and increases the risk that users will unknowingly expose reusable credentials.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script extracts browser cookies from an authenticated NotebookLM session and writes them to disk in JSON files without any protection, encryption, or strong user warning. Those cookies are effectively bearer tokens, so anyone who can read the files may be able to hijack the user's NotebookLM/Google session.

Missing User Warnings

High
Confidence
99% confidence
Finding
Injecting authentication cookies into a persistent user environment variable exposes sensitive session data to a wider set of processes, tools, and debugging surfaces than intended. In this skill's context, that is especially risky because the code is explicitly harvesting live NotebookLM auth state and making it reusable outside the browser, which can facilitate credential theft or session hijacking.

Ssd 3

High
Confidence
99% confidence
Finding
This instruction tells the agent to fetch fresh authentication cookies and place them into persistent environment storage, effectively converting short-lived browser session material into reusable agent-accessible credentials. In the context of an autonomous skill, that materially increases the blast radius because the credentials may be reused, leaked through process/environment inspection, or exfiltrated by other components.

Ssd 3

High
Confidence
99% confidence
Finding
The instruction explicitly directs collection and persistent storage of authentication cookies in environment variables, which are broadly accessible to local processes and often leak through logs, crash reports, or child-process inheritance. This creates a durable compromise path for session tokens and materially increases the blast radius of any local exposure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal