Back to skill

Security audit

Notebooklm

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a legitimate NotebookLM automation helper, but it gives agents broad upload, login, and notebook-management authority without enough privacy and credential safeguards.

Install only if you intentionally want an agent to use NotebookLM on your behalf. Use a dedicated account when possible, avoid uploading confidential or regulated files, confirm every upload or deletion, and understand where the NotebookLM CLI stores login tokens and how to revoke or remove them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill exposes shell-capable commands throughout the documentation but does not declare any permissions or execution boundaries. In an agent environment, this can cause the skill to be invoked with broader command-execution capability than users expect, increasing the risk of unintended command execution, package installation, login flows, and filesystem access.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger description is very broad, covering many generic research, content-generation, and knowledge-management tasks without precise boundaries. That makes accidental or over-broad invocation more likely, which is dangerous here because the skill can authenticate to an external service, upload local files, perform network research, and delete notebooks.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The authentication section states that credentials are stored locally after first login, but it does not clearly warn users about the security and privacy implications of local token persistence. In shared or multi-user environments, persisted credentials can be reused by other local users, copied from disk, or unintentionally included in backups.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill encourages uploading local files, webpages, YouTube links, and research results to an external third-party service, but does not clearly warn that potentially sensitive data will leave the local environment. In this context, broad triggering and support for arbitrary files make accidental exfiltration of confidential documents, media, or regulated data substantially more dangerous.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.