Back to skill

Security audit

NotebookLM RAG Line

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it says, but it needs review because it can automate a logged-in Chrome/NotebookLM session and auto-install browser automation code at runtime.

Install only if you are comfortable using browser automation with NotebookLM. Use a dedicated Chrome profile with only the needed notebook access, preinstall and pin dependencies instead of allowing runtime pip installs, review the hardcoded notebook ID and Windows paths, and avoid storing confidential NotebookLM answers unless the local database and JSON files are protected. Enable the scheduled task only if recurring background updates are intended.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
from patchright.sync_api import sync_playwright
        except ImportError:
            log("patchright not installed, installing...")
            subprocess.run([sys.executable, "-m", "pip", "install", "patchright"], check=True)
            from patchright.sync_api import sync_playwright

        if not os.path.exists(CHROME_PROFILE):
Confidence
92% confidence
Finding
subprocess.run([sys.executable, "-m", "pip", "install", "patchright"], check=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill documentation describes capabilities that write local files, access the network, and execute shell-installed tooling, but it does not declare permissions or boundaries for those actions. This weakens reviewability and consent because a user may enable a skill without understanding it can automate a browser session, call local model services, and persist data to disk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The declared purpose says the skill synchronizes NotebookLM knowledge to a LINE RAG store, but the document also describes materially different behavior: browser automation against a live web app, use of a local Chrome profile, a local HTTP server, scheduled execution, and LLM-generated answers/suggestions. This mismatch is dangerous because reviewers and users may underestimate the operational and privacy risks, especially around automated account access and exposure of a query endpoint.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Installing a Python package at runtime is not necessary for NotebookLM-to-RAG synchronization and materially expands the attack surface through dependency confusion, typosquatting, or compromise of the package or index. Because this skill also automates browser access using a persistent Chrome profile, any malicious package code would execute in a sensitive environment with access to local files and authenticated browser state.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The script persists questions and NotebookLM answers to both a local SQLite database and a JSON output file without consent, minimization, encryption, or access controls. In this context, the data may contain sensitive internal knowledge, personal information, or proprietary material extracted from NotebookLM, so silent persistence increases the risk of local data exposure and secondary misuse.

Ssd 4

Medium
Confidence
93% confidence
Finding
The server concatenates untrusted conversation history and retrieved knowledge directly into a single user prompt with no trust-boundary markers or instruction isolation. An attacker can place prompt-injection content in chat history or poisoned knowledge-base entries to steer the model into ignoring intended behavior, leaking hidden context, fabricating answers, or producing unsafe output.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.