Back to skill

Security audit

Notebooklm

Security checks across malware telemetry and agentic risk

Overview

This NotebookLM skill appears functional, but it uses Google-authenticated browser automation with evasion-oriented behavior and persistent session storage that users should review carefully before installing.

Install only if you are comfortable letting the skill automate a logged-in Google/NotebookLM browser session and store reusable session data locally. Use a dedicated Google account and non-sensitive notebooks, protect or delete the stored browser state when finished, avoid public 'anyone with link' notebooks for confidential material, and do not rely on the skill for workflows that must comply strictly with Google service limits or enterprise data-handling rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (28)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Run the script
    try:
        result = subprocess.run(cmd)
        sys.exit(result.returncode)
    except KeyboardInterrupt:
        print("\n⚠️ Interrupted by user")
Confidence
83% confidence
Finding
result = subprocess.run(cmd)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
)

                # Install requirements
                result = subprocess.run(
                    [str(self.venv_pip), "install", "-r", str(self.requirements_file)],
                    check=True,
                    capture_output=True,
Confidence
89% confidence
Finding
result = subprocess.run( [str(self.venv_pip), "install", "-r", str(self.requirements_file)], check=True, capture_output=True

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# See: https://github.com/Kaliiiiiiiiii-Vinyzu/patchright-python#anti-detection
                print("🌐 Installing Google Chrome for Patchright...")
                try:
                    subprocess.run(
                        [str(self.venv_python), "-m", "patchright", "install", "chrome"],
                        check=True,
                        capture_output=True,
Confidence
92% confidence
Finding
subprocess.run( [str(self.venv_python), "-m", "patchright", "install", "chrome"], check=True, capture_output

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly directs the agent to execute shell commands, create a virtual environment, install dependencies, read and write local files, and manage persistent state, yet it declares no permissions. This mismatch weakens user awareness and any permission-gating or policy enforcement that depends on declared capabilities, increasing the chance of unexpected code execution and filesystem access.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The documentation says each query uses a fresh browser session and closes, but elsewhere it documents persistent authentication storage, browser cookies, and session state. This inconsistency can mislead users and reviewers about the actual privacy and security properties of the skill, causing them to expose Google-authenticated sessions or sensitive notebook access under false assumptions.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The guide explicitly recommends switching and rotating multiple Google accounts to work around service-imposed rate limits. This encourages bypassing platform controls and can expose users to account misuse, policy violations, and privacy risks when credentials for multiple accounts are handled by the automation.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script presents itself as a simple interface for obtaining NotebookLM answers, but it appends its own follow-up instruction block to the returned content. This breaks source fidelity and can mislead downstream agents or users into treating injected text as NotebookLM output, creating an integrity and prompt-injection-style control risk in agent workflows.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The function contract says it returns NotebookLM answer text, but the implementation silently modifies that answer before returning it. In an agent skill that advertises source-grounded responses, this discrepancy is security-relevant because it undermines trust boundaries and can cause downstream logic to consume non-source-backed instructions as if they came from NotebookLM.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The browser launch configuration deliberately suppresses automation indicators and uses anti-detection settings such as ignoring the default automation flag and presenting itself as a real Chrome profile. For a skill whose stated purpose is querying NotebookLM, these evasion features are not necessary and increase the risk that the skill can bypass site bot-detection or policy controls during authenticated browsing.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The human-like typing delays, randomized pauses, and realistic mouse-movement/click simulation are behavioral evasion techniques intended to make automation resemble a human user. In the context of a document-querying skill, this exceeds legitimate functional needs and could be repurposed to avoid behavioral detection on websites while operating under a user's authenticated session.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This file implements a universal script runner capable of invoking arbitrary local skill scripts, which is broader than the advertised purpose of querying NotebookLM. In skill ecosystems, such a generic dispatcher increases risk because compromised, unexpected, or future-added scripts can inherit an easy execution path, effectively turning the skill into a local execution framework.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The setup script installs Google Chrome specifically to support Patchright 'anti-detection' behavior and consistent browser fingerprinting, which is not necessary for the stated purpose of querying NotebookLM. This suggests deliberate evasion of bot detection or platform controls, increasing the likelihood of stealthy browser automation against third-party services.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation explicitly describes saving full authenticated browser state to `state.json` and manually re-injecting cookies, but it does not warn that this file can function like a bearer token for the user's Google session. In the context of a skill that automates access to Google NotebookLM, omission of handling guidance for this artifact increases the chance that users store it insecurely, leak it via backups/logs/repos, or expose it to other local processes, enabling account/session hijacking and privacy compromise.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README instructs users to share NotebookLM notebooks via 'Anyone with link' but does not prominently explain that this can expose the notebook’s contents to anyone who obtains the link. Because the skill is designed to work with private documents and source materials, this omission can lead users to unintentionally broaden access to sensitive data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs users to authenticate to Google and stores auth status, cookies, and browser session data locally, but it does not provide a sufficiently prominent pre-use warning or consent flow about what sensitive data will be retained. Stored browser state can be reused by local attackers, other processes, or future automations to access the user's NotebookLM/Google session.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The troubleshooting guide includes destructive reset steps such as deleting the local library file and removing the virtual environment without clearly warning about irreversible changes or possible data loss. In an agent-executed context, these commands could be followed mechanically and wipe local state the user expected to preserve.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The advice to switch or rotate Google accounts omits clear warnings about credential separation, auditability, and privacy implications of using multiple accounts with persistent browser profiles. This can lead users to expose additional accounts to automation and weaken accountability for data access.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The guidance explicitly suggests switching Google accounts when rate limited by running reauthentication and logging in with a different account, without requiring user consent, policy checks, or justification. In a skill that automates browser-based access to user notebooks, this encourages bypassing service limits and may cause an agent to operate on a different identity or dataset than the user intended.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Telling operators to export important answers locally omits any warning that NotebookLM responses may contain sensitive notebook-derived content, citations, or proprietary material. In this skill's context, local exports can create unmanaged copies outside the original access controls, increasing risk of data leakage, retention, and accidental commit or sharing.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script prints the full question to stdout, which can disclose sensitive prompts, proprietary content, credentials, or personal data into terminals, shell history capture, CI logs, or centralized log systems. In this skill's context, users may ask document-grounded questions containing sensitive notebook material, so unintended exposure is more dangerous than in a generic toy script.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill automatically transmits user questions to NotebookLM via browser automation without an explicit privacy or network-transmission warning at the point of use. While remote submission is inherent to the product, the lack of clear disclosure can lead users or calling agents to send sensitive material off-host unintentionally, especially given the skill's positioning as a convenient local interface.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code persists full browser storage state to disk, which can include authenticated session cookies and localStorage tokens for Google/NotebookLM. If these files are readable by other local users, included in backups, or exfiltrated by malware, an attacker may be able to reuse the session and access the user's NotebookLM account without re-authenticating.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code logs the full user question to stdout, which can expose sensitive prompts, document contents, credentials, or internal business data through terminal history, process logs, CI logs, or centralized log collectors. In this skill's context, users are querying NotebookLM notebooks that may contain proprietary or confidential source material, so prompt logging is more dangerous than in a generic chat application.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
The comments explicitly endorse 'anti-detection' and browser fingerprint consistency, indicating intent to evade detection rather than simply automate a browser. In the context of a NotebookLM querying skill, that materially increases risk because it implies bypassing platform safeguards or terms rather than using an officially supported integration.

Ssd 2

Medium
Confidence
95% confidence
Finding
The documentation explicitly markets 'better anti-detection' as a feature, which frames evasion of platform automation detection as desirable behavior. In a browser automation skill targeting a Google service, this increases the likelihood of terms-of-service violations, account flagging, and abusive use patterns.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.