ClawHub

NotebookLM Studio

Security checks across malware telemetry and agentic risk

Overview

This is a coherent NotebookLM automation skill with disclosed sensitive behaviors, mainly use of a local Google NotebookLM session, local output files, optional Telegram delivery, and optional recovery polling.

Install only if you trust the publisher and the external notebooklm-py dependency. Treat ~/.notebooklm/storage_state.json like a password, avoid using shared servers for it, confirm any Telegram chat ID before delivery, and enable the recovery cron only if you want background polling and downloads for pending artifacts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill performs local file writes such as creating output directories, saving downloaded artifacts, and writing delivery-status.json, but no corresponding permissions are declared. This creates a transparency and containment problem: callers and policy systems cannot accurately assess or restrict the skill’s filesystem side effects, increasing the risk of unintended overwrites or data persistence.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The declared description emphasizes importing sources and generating study artifacts, but the workflow also includes persistent local storage, task polling/recovery behavior, artifact downloading, and audio post-processing. This mismatch can mislead users and security controls about the true operational footprint of the skill, making broader side effects easier to smuggle in under an apparently narrower purpose.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The file defines a substantial Telegram delivery workflow, including retries, status tracking, file uploads, and completion semantics, which goes beyond the skill's stated NotebookLM import-and-generation purpose. This scope expansion increases the agent's operational authority and can cause unintended exfiltration of generated or user-supplied content to external chat targets if the delivery path is triggered without sufficiently explicit user consent and boundary checks.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The README explicitly instructs users to copy `~/.notebooklm/storage_state.json` from one machine to another, which is effectively session-token transfer. That file likely contains authenticated browser/session state, so anyone with access to it may be able to impersonate the user in NotebookLM without re-authenticating. In an agent skill context, this is more dangerous because the copied credential may be placed on headless servers, CI hosts, or multi-user systems where compromise impact is higher.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to copy `~/.notebooklm/storage_state.json` from a local machine to a server to enable headless operation, but it does not explicitly warn that this file is an authentication/session credential equivalent. Anyone who obtains that file may be able to impersonate the user’s NotebookLM session until it expires or is revoked. In a skill context that automates remote processing, normalizing credential transfer to servers increases the chance of accidental exposure through backups, logs, weak server hygiene, or multi-user environments.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The skill defaults the output language to zh_Hant and explicitly notes that language is a global account-wide setting affecting all notebooks. Changing a global setting without explicit opt-in can alter unrelated user workflows, leak preference assumptions, and create cross-task side effects beyond the current request.

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
The skill sets a global default language to `zh_Hant` and instructs the agent to ask once, but also allows immediate defaulting in 'use defaults' scenarios. This can cause unintended processing or output in a language the user did not request, leading to misleading results, degraded usability, and potential mishandling of user content in multilingual workflows.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal