Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
NotebookLM CLI Cookies
v0.1.4Search and answer questions over documents already uploaded to NotebookLM using the nlm CLI. Use when users ask to find information, summarize sources, or query a specific NotebookLM notebook.
⭐ 0· 1k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (query NotebookLM via the nlm CLI) matches the declared runtime requirement (nlm binary and NOTEBOOKLM_MCP_CLI_PATH). However included helper scripts perform system bootstrap, install packages, and optionally fetch secrets from AWS; these system-level capabilities are broader than the simple query purpose and are not declared in the minimal metadata.
Instruction Scope
SKILL.md runtime instructions are narrowly scoped to running nlm and checking NOTEBOOKLM_MCP_CLI_PATH, and explicitly instruct not to use web or local files beyond NotebookLM. But the repository also ships injector and bootstrap scripts that read/write auth JSON, may call aws CLI, and will modify system configuration when executed. Those scripts introduce additional runtime behaviors that are not covered in the SKILL.md 'hard rules' and are therefore out-of-band relative to the runtime instructions.
Install Mechanism
There is no automatic install spec, but the provided bootstrap script will run apt-get, pipx/pip installs, npm/pnpm installs, create systemd drop-ins, and add groups/users — actions requiring sudo and affecting system state. While reasonable for a self-hosted VPS installation, these are high-impact operations and should not be executed without reviewing the script and running it only in a trusted environment.
Credentials
The skill metadata declares only NOTEBOOKLM_MCP_CLI_PATH, but the injector/bootstrap scripts accept and use multiple other inputs (NOTEBOOKLM_AUTH_SECRET_FILE, NOTEBOOKLM_AUTH_SECRET_JSON, NOTEBOOKLM_AUTH_SECRET_ID and AWS_REGION/AWS_DEFAULT_REGION, NOTEBOOKLM_AUTH_FILE, etc.). Those inputs can grant access to sensitive Google cookies and allow the script to fetch secrets from AWS Secrets Manager — privileges that are sensitive and should be explicitly declared and scoped (least privilege).
Persistence & Privilege
The bootstrap script can install a helper injector, modify ~/.openclaw/openclaw.json to inject environment variables, create /etc/openclaw/notebooklm-auth.json, change group membership, and install a systemd drop-in that runs the injector on service start. Although the skill itself is not flagged always:true, these actions give the skill persistent integration into system services and require careful review before use.
Scan Findings in Context
[aws-secretsmanager-get-secret-value] expected: The aws CLI call to 'secretsmanager get-secret-value' appears in scripts/aws-inject-notebooklm-auth.sh and is a supported injection pathway for the cookie JSON. It is coherent with a headless injection workflow but introduces a need for AWS credentials/permissions which are not declared in the skill metadata.
[writes-sensitive-cookie-files] expected: Scripts write cookies.json and metadata.json into NOTEBOOKLM_MCP_CLI_PATH/profiles/default — required to make nlm work headless. This is expected for NotebookLM auth, but these files are highly sensitive (contain Google session cookies) and the skill bundles code to create them.
[systemd-dropin-and-service-modification] expected: bootstrap_vps_systemd_one_liner.sh can create a systemd drop-in and restart a user-provided service to wire in the injector. This is consistent with the provided VPS integration use-case but is a privileged operation requiring sudo and should be reviewed before execution.
[pkg-install-apt-pipx-npm] expected: The bootstrap installs system packages (apt), pipx/pip packages, and may install the ClawHub CLI via npm/pnpm. These are expected for setting up nlm and the OpenClaw workspace on a fresh VPS; they are not malicious but are high-impact and may alter host environments.
What to consider before installing
This skill is functionally coherent but includes powerful helper scripts that: (1) accept and write your NotebookLM Google cookies (cookies.json/metadata.json); (2) can pull that auth JSON from an AWS Secrets Manager secret if you provide NOTEBOOKLM_AUTH_SECRET_ID and AWS credentials; and (3) can install packages and create systemd drop-ins on your VPS. Before installing or running the bootstrap: - Inspect the scripts top-to-bottom and run them only on machines you control. - Do not run the bootstrap on shared or untrusted hosts. - If you will use the AWS secret path, grant the minimal IAM permissions needed (secretsmanager:GetSecretValue) scoped to the specific secret; do not reuse high-privilege AWS credentials. - Keep auth JSON and cookies out of version control; follow the docs' recommendations for file permissions. - If you only need the skill for ad-hoc local queries, avoid running the systemd/bootstrap flow and instead manually place cookies.json/metadata.json into NOTEBOOKLM_MCP_CLI_PATH and set that env var. - If unsure about the author/source (owner ID unknown, no homepage), prefer manual setup over running the provided bootstrap.Like a lobster shell, security has layers — review code before you run it.
latestvk976nkbk3ge3grbkv4ca0wegf58130n9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnlm
EnvNOTEBOOKLM_MCP_CLI_PATH