Notebooklm

Security checks across malware telemetry and agentic risk

Overview

This skill has a legitimate NotebookLM purpose, but it stores reusable Google session data and uses stealth-style browser automation with several under-disclosed or risky workflows.

Install only if you are comfortable letting local scripts automate a logged-in Google NotebookLM browser. Prefer a dedicated Google account, avoid sensitive notebooks or public 'anyone with link' sharing, protect or regularly clear the skill data directory, and set limits before allowing automatic follow-up queries.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (27)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: ) # Install requirements result = subprocess.run( [str(self.venv_pip), "install", "-r", str(self.requirements_file)], check=True, capture_output=True,
Confidence: 86% confidence
Finding: result = subprocess.run( [str(self.venv_pip), "install", "-r", str(self.requirements_file)], check=True, capture_output=True

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # See: https://github.com/Kaliiiiiiiiii-Vinyzu/patchright-python#anti-detection print("🌐 Installing Google Chrome for Patchright...") try: subprocess.run( [str(self.venv_python), "-m", "patchright", "install", "chrome"], check=True, capture_output=True,
Confidence: 93% confidence
Finding: subprocess.run( [str(self.venv_python), "-m", "patchright", "install", "chrome"], check=True, capture_output

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill instructs the agent to execute shell commands, create virtual environments, install dependencies, read and write local files, and manage persistent state, but it declares no permissions or safety boundaries. This creates a transparency and policy gap: users and the hosting system are not clearly informed that the skill can modify the filesystem and run arbitrary local tooling, increasing the chance of unsafe execution under misleading assumptions.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The documentation says each query uses a fresh browser session and closes, yet elsewhere it states that authentication and browser session state are persisted. This inconsistency can mislead users about privacy and isolation guarantees, causing them to believe no long-lived session artifacts remain when cookies and authenticated state are actually retained on disk.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The limitations section claims there is no session persistence, but the skill explicitly stores authentication status, browser cookies, and session state under a local data directory. This contradiction materially understates the privacy and security exposure of the skill, especially on shared machines or developer environments where stored browser state could be reused or exfiltrated.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The troubleshooting guide explicitly documents switching and rotating multiple Google accounts to bypass service rate limits, which exceeds the stated notebook-query purpose and introduces a misuse workflow. Even in documentation form, this normalizes quota evasion and enables sustained automated access using multiple identities.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The file documents notebook listing, searching, adding, and activating operations, which are materially broader than the manifest's query-only description. This capability mismatch increases risk because operators may grant trust or permissions based on an incomplete understanding of what the skill can do remotely.

Context-Inappropriate Capability

High

Confidence: 94% confidence
Finding: The guide recommends using multiple Google accounts and reauthentication to work around daily rate limits, which is an evasion pattern rather than legitimate troubleshooting. This can facilitate policy circumvention, increase abuse capacity, and expose organizations to account governance and compliance issues.

Intent-Code Divergence

Medium

Confidence: 80% confidence
Finding: The safety statement says the skill only accesses NotebookLM, but the same guide documents browser automation, local process control, filesystem access, environment variable use, package installation, and proxy/network configuration. Misrepresenting the operational surface can lead users to underestimate risk and approve use in environments where such behaviors are not acceptable.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: Importing this package automatically creates a virtual environment and installs dependencies and browser binaries, causing network access and code execution as a side effect of a simple import. That is dangerous because any consumer importing the package triggers broader system changes than expected, expanding the trust boundary and increasing the risk from compromised dependencies or accidental execution in sensitive environments.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The code explicitly enables anti-detection behavior by using a patched browser driver, disabling the automation flag, forcing a real Chrome channel, and applying a custom user agent. For a notebook-querying skill, these evasion features are not necessary for core functionality and can help conceal automated access from service defenses, increasing the risk of policy bypass or unauthorized scripted use.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The helper implements human-like typing delays, random pauses, mouse movement, and realistic click simulation, which are classic interaction-evasion techniques. In this skill's context, querying NotebookLM does not require disguising automation as human input, so these routines expand capability toward stealthy browser automation and can be used to evade bot-detection or obscure scripted behavior.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The browser arguments include '--disable-blink-features=AutomationControlled', which is explicitly intended to mask automation by patching navigator.webdriver. For a skill whose stated purpose is querying NotebookLM, this anti-detection behavior is not necessary for core functionality and increases risk by enabling stealthy browser automation that can bypass site defenses or violate platform expectations.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The code comments state that Chrome is installed to achieve consistent browser fingerprinting and anti-detection, which is strongly suspicious for stealth automation rather than ordinary NotebookLM access. In this skill's context, that mismatch makes the behavior significantly more dangerous because it suggests deliberate evasion capabilities unrelated to the advertised functionality.

Intent-Code Divergence

Low

Confidence: 95% confidence
Finding: The documentation presents the browser install as reliability-related, while also explicitly citing anti-detection and fingerprinting as the rationale. This discrepancy is a trust and transparency problem that can conceal risky behavior from reviewers and users, increasing the likelihood that stealth-oriented automation is deployed without informed consent.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation explicitly instructs saving authenticated browser state, including cookies, to `state.json` but does not warn that this file can function as a bearer token for the user's Google session. In the context of a skill that automates access to NotebookLM, exposure of this file could enable session hijacking, unintended account access, or reuse of stale authenticated state without user awareness.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The manual cookie injection workflow restores authenticated sessions from `state.json`, effectively rehydrating a logged-in browser context, but the documentation omits the security implications of doing so. In this skill's context, that omission is more dangerous because the feature is central to persistent access to a Google account, so users may treat the file as routine state rather than sensitive authentication material.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README instructs users to share NotebookLM notebooks as 'Anyone with link' without an immediate, explicit warning about the privacy implications. Because these notebooks may contain proprietary documents, internal manuals, or personal data, this guidance can cause accidental data exposure to anyone who obtains the link.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill documents notebook removal and cleanup commands without requiring an explicit confirmation step or strong warning in the user workflow. An agent following these instructions could delete notebook metadata or clear authentication/session state unexpectedly, leading to loss of configuration, forced reauthentication, or disruption of user access.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill states that authentication info and browser state are stored locally, including cookies and session data, but it does not present a clear privacy warning or risk explanation. Stored Google session artifacts are sensitive: if the local machine, home directory, backups, or logs are exposed, an attacker may gain access to authenticated NotebookLM sessions or related account activity.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The cleanup instructions include terminating browser processes and deleting or resetting local state without a prominent warning about potential data loss, side effects, or impact on unrelated sessions. Users following troubleshooting steps may disrupt other work or irreversibly remove local notebook metadata.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The complete reset procedure performs forceful cleanup and removes the virtual environment, which can irreversibly alter the installation and delete local state. Without strong warnings and scoped impact descriptions, this creates an avoidable risk of user-induced damage during routine troubleshooting.

Natural-Language Policy Violations

High

Confidence: 97% confidence
Finding: The guide advises enabling a weaker authentication setting ('Less secure app access' if available), which directly reduces account security posture and may encourage users to bypass normal protections. In the context of Google account automation, this can increase the likelihood of credential compromise or policy violations.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation recommends querying a shared NotebookLM URL to discover notebook contents without instructing the operator to confirm authorization or warn the user that private notebook data may be accessed. In a tool designed to interact with user notebooks through persistent Google authentication, this can lead to unintended access, summarization, or storage of sensitive information from notebooks the operator can open.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The code persists Playwright storage state, which includes cookies and localStorage, to disk as part of the normal authentication workflow. In a tool that automates access to a Google account, this creates a real credential-exposure risk if the state file is stored with weak filesystem permissions, synced, backed up, or accessed by another local user or process; the lack of an explicit warning increases the chance users will mishandle sensitive session data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal