NotebookLM CLI Cookies
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for querying NotebookLM, but it deserves careful review because it uses Google session cookies and exposes a broad raw `nlm` command passthrough from Telegram.
Install only if you are comfortable storing NotebookLM/Google cookies for headless use. Review who can send `/nlm` commands to the bot, restrict the command set if possible, and keep the auth JSON and generated cookie files protected and easy to revoke.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A Telegram command could drive the NotebookLM CLI directly and return its stdout, which may expose notebook information or perform other `nlm` actions available in the installed CLI.
This exposes a raw CLI passthrough rather than a scoped query workflow. Because the CLI runs with pre-injected NotebookLM credentials, users could trigger commands beyond the stated search/query use case unless the runtime separately restricts them.
If the user invokes this skill via `/nlm ...` in Telegram, treat the raw text after `/nlm` as the `nlm` arguments. - Always execute exactly: `nlm <args>` via Exec
Restrict `/nlm` to an allowlisted set of read-only commands such as login check, notebook list, and notebook query, and require explicit confirmation for alias changes or any mutating commands.
Installing and using the skill requires handling Google session cookies that may grant access to the user's NotebookLM account if copied, leaked, or misused.
The skill requires reusable NotebookLM/Google session cookies, while the registry metadata says the primary credential is none. The docs warn about the credential sensitivity, but the registry contract under-declares this high-impact account access.
`notebooklm-auth.json`, `cookies.json`, and `metadata.json` are credentials. Never commit them to git. Never share them publicly.
Declare the credential requirement explicitly in metadata, document exact cookie scope and revocation steps, and prefer a managed secret store over raw environment variables or manually copied files.
Running the bootstrap gives package-manager-installed code and global CLIs influence over the VPS environment.
The optional bootstrap installs unpinned dependencies and global CLIs from package managers. This is expected for setup, but users should understand the supply-chain trust they are accepting.
sudo apt-get install -y jq python3-pip python3-venv pipx ... pipx install notebooklm-mcp-cli ... sudo npm i -g clawhub
Pin package versions where possible, review the installed packages, and run the bootstrap only on a dedicated environment or after taking a backup.
The OpenClaw service can keep re-injecting NotebookLM cookies on each restart until the systemd drop-in is removed.
When a service is provided, the script creates a systemd drop-in that runs the auth injector before OpenClaw starts. This is disclosed and purpose-aligned, but it is a persistent startup hook.
ExecStartPre=${INJECT_BIN}Document how to remove the drop-in and credential files, and only enable the systemd integration if persistent headless NotebookLM access is needed.