Back to skill
Skillv0.1.0
ClawScan security
nlm · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 9, 2026, 8:51 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only helper for the nlm CLI and its requirements and instructions are consistent with that purpose.
- Guidance
- This SKILL.md is a straightforward cheat-sheet for the `nlm` CLI. Before using or automating it, confirm you trust the `nlm` binary source (the GitHub repo is provided) and install via your preferred vetted package manager (pipx/uv). Be aware that: (1) adding local files uploads their contents to NotebookLM, (2) login uses browser cookies and optionally a local CDP URL — only point the CLI at a local service you control (the CDP URL hands that service control over a browser session), and (3) share/invite commands can make notebooks accessible to others. If you need higher assurance, inspect the actual `nlm` package source and avoid using the OpenClaw/CDP provider unless you know what runs on localhost:18800.
Review Dimensions
- Purpose & Capability
- okName/description match the requested artifact: the SKILL instructs use of the `nlm` binary and documents notebook/list/create/query/share/source/drive operations that are exactly what a NotebookLM CLI would do. The documented install options (uv/pipx/pip) and lack of unrelated env vars or config paths are proportionate.
- Instruction Scope
- noteThe SKILL.md stays on-topic (commands to login, manage notebooks, add sources, create artifacts, etc.). It does reference adding local files (e.g., `--file ./notes.pdf`) and using browser-based auth / an OpenClaw-managed CDP URL (http://127.0.0.1:18800). Those are expected for a CLI that uses browser cookies or browser automation for auth, but users should be aware that local files will be uploaded to NotebookLM and that connecting a CDP URL hands control of a browser session to whatever service is listening on that port.
- Install Mechanism
- okThis is an instruction-only skill with no install spec or code files. The metadata suggests installing `notebooklm-mcp-cli` via uv/pipx/pip — standard package distribution routes for a Python CLI and proportionate to the described functionality. No obscure download URLs or archive extraction are present.
- Credentials
- okNo required environment variables, credentials, or config paths are declared. The SKILL.md does note that auth depends on browser cookies and mentions an optional OpenClaw provider and local CDP URL; those are plausible for interactive auth but mean the CLI may rely on session cookies or a local service for automated browser auth.
- Persistence & Privilege
- okalways is false and there is no install script or code that persists or modifies other skills. Autonomous invocation is allowed (platform default) but there are no extra privileges or permanent presence requested by this skill.