NotebookLM Skill

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent with its NotebookLM purpose, but it asks for sensitive Google session access and includes anti-detection automation, Z-Library downloading, and rate-limit workarounds that warrant Review before installation.

Install only if you are comfortable granting this skill access to authenticated Google NotebookLM sessions and local documents. Use a dedicated Google account, review the auth files under data/auth, avoid Z-Library workflows unless you have rights to the material, do not use account rotation to bypass limits, and treat generated downloads or folder sync deletes as real changes to your local and NotebookLM data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (78)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: package_json = skill_dir / "package.json" if package_json.exists(): print(" Installing Node.js dependencies...") subprocess.run( ["npm", "install"], check=True, capture_output=True,
Confidence: 95% confidence
Finding: subprocess.run( ["npm", "install"], check=True, capture_output=True, cwd=str(skill_dir)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: capture_output=True, cwd=str(skill_dir) ) subprocess.run( ["npm", "run", "install-browsers"], check=True, capture_output=True,
Confidence: 96% confidence
Finding: subprocess.run( ["npm", "run", "install-browsers"], check=True, capture_output=True, cwd=str(skill_dir)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: print("📦 Installing Python dependencies...") venv_python = get_venv_python() try: result = subprocess.run( [str(venv_python), "-m", "pip", "install", "-r", str(requirements_file), "--quiet"], capture_output=True, text=True,
Confidence: 88% confidence
Finding: result = subprocess.run( [str(venv_python), "-m", "pip", "install", "-r", str(requirements_file), "--quiet"], capture_output=True, text=True, ti

subprocess module call

Medium

Category: Dangerous Code Execution
Content: if os.name == 'nt': patchright_cmd = skill_dir / ".venv" / "Scripts" / "patchright.exe" result = subprocess.run( [str(patchright_cmd), "install", "chromium"], capture_output=True, text=True,
Confidence: 86% confidence
Finding: result = subprocess.run( [str(patchright_cmd), "install", "chromium"], capture_output=True, text=True, timeout=300 # 5 minutes for browser down

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # Pass remaining args to init_platform.py init_args = sys.argv[2:] cmd = [sys.executable, str(init_script)] + init_args result = subprocess.run(cmd) sys.exit(result.returncode) # Handle --check-deps flag for pre-flight dependency check
Confidence: 84% confidence
Finding: result = subprocess.run(cmd)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # Run the script try: result = subprocess.run(cmd) sys.exit(result.returncode) except KeyboardInterrupt: print("\n⚠️ Interrupted by user")
Confidence: 89% confidence
Finding: result = subprocess.run(cmd)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # Run setup with system Python try: result = subprocess.run( [sys.executable, str(setup_script)], timeout=TIMEOUT_VENV_SETUP )
Confidence: 87% confidence
Finding: result = subprocess.run( [sys.executable, str(setup_script)], timeout=TIMEOUT_VENV_SETUP )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: print("📦 Installing agent-browser...") npm_cmd = _get_npm_command() try: result = subprocess.run( [npm_cmd, "install"], cwd=str(skill_dir), capture_output=True,
Confidence: 88% confidence
Finding: result = subprocess.run( [npm_cmd, "install"], cwd=str(skill_dir), capture_output=True, text=True, timeout=T

subprocess module call

Medium

Category: Dangerous Code Execution
Content: ) # Install requirements result = subprocess.run( [str(self.venv_pip), "install", "-r", str(self.requirements_file)], check=True, capture_output=True,
Confidence: 87% confidence
Finding: result = subprocess.run( [str(self.venv_pip), "install", "-r", str(self.requirements_file)], check=True, capture_output=True

subprocess module call

Medium

Category: Dangerous Code Execution
Content: print("📦 Installing Node.js dependencies...") npm_cmd = _get_npm_command() try: subprocess.run( [npm_cmd, "install"], check=True, capture_output=True,
Confidence: 89% confidence
Finding: subprocess.run( [npm_cmd, "install"], check=True, capture_output=True,

subprocess module call

Medium

Category: Dangerous Code Execution
Content: print("✅ Node.js dependencies installed") print("🌐 Installing Playwright browsers...") try: subprocess.run( [npm_cmd, "run", "install-browsers"], check=True, capture_output=True,
Confidence: 85% confidence
Finding: subprocess.run( [npm_cmd, "run", "install-browsers"], check=True, capture_ou

Context-Inappropriate Capability

Medium

Confidence: 80% confidence
Finding: The advertised Z-Library integration expands the skill beyond normal NotebookLM querying into third-party content acquisition, including browser automation and credential/state handling. That materially increases legal, trust, and supply-chain risk because the skill can fetch external content from a high-risk source unrelated to the core querying function.

Context-Inappropriate Capability

High

Confidence: 91% confidence
Finding: The documented Z-Library upload flow materially broadens the skill from NotebookLM querying into acquisition and transfer of third-party content through browser automation. In an agent context, this can facilitate unauthorized downloading of copyrighted material and ingestion of untrusted content under innocuous source-management commands.

Context-Inappropriate Capability

Low

Confidence: 78% confidence
Finding: The documentation explicitly recommends switching or using multiple Google accounts to work around service rate limits. That guidance encourages policy circumvention and can lead users to store and manage multiple authenticated accounts in the skill, increasing account-abuse and privacy risk.

Description-Behavior Mismatch

Medium

Confidence: 82% confidence
Finding: The troubleshooting guide documents notebook creation/addition and multi-account management capabilities that materially expand the skill beyond its stated purpose of directly querying existing notebooks. This increases the operational scope of the skill and can enable unintended data access or account manipulation workflows that users would not reasonably expect from the manifest.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The guide explicitly recommends switching and rotating multiple Google accounts to bypass NotebookLM query rate limits. That is an abuse-enabling workflow that facilitates circumvention of provider safeguards and could lead to policy violations, account misuse, or broader unauthorized automated access.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: Advising users to enable less secure app access and use dedicated automation accounts normalizes weaker account security in support of browser automation. Even if intended for troubleshooting, this increases exposure to account compromise and encourages credential-handling practices outside the skill's stated query-only function.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The inclusion of ebook conversion and parsing libraries is not aligned with the stated purpose of querying existing NotebookLM notebooks, which suggests capability creep beyond the declared functionality. In an agent skill, extra document-ingestion tooling can enable unadvertised acquisition or transformation of external content, increasing attack surface and creating suspicion around undocumented data flows.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The dependency on Patchright, explicitly described as an anti-detection Playwright fork for Google auth, materially exceeds a simple NotebookLM query client and indicates stealth browser automation designed to evade detection. In the context of an agent skill with persistent auth, this creates a strong risk of unauthorized account automation, policy evasion, and abuse of user sessions.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The module calls `ensure_venv_and_run()` at import time, causing environment creation and package-manager activity as a side effect of importing the package. This violates least surprise and can trigger network access and code execution in contexts that only intended to inspect or import the module, which is a meaningful security concern for an agent skill.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The skill is presented as a NotebookLM query helper, but it silently starts a local browser daemon and associated automation stack. That mismatch matters because users may authorize a narrow notebook-query tool while unknowingly granting persistent browser automation capability, increasing the chance of unintended local actions and access to authenticated web sessions.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The evaluate() method forwards arbitrary JavaScript into the active page context, enabling unrestricted DOM access and interaction with authenticated web content. In a skill whose stated purpose is querying NotebookLM, this is an unnecessary and dangerous expansion of capability because it can read page data, trigger actions, or manipulate sessions far beyond source-grounded notebook queries.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: This command set includes destructive and state-changing operations such as artifact deletion, which materially exceeds the skill's stated query-focused purpose. That mismatch is security-relevant because users or higher-level agents may grant trust based on the manifest description and unknowingly enable capabilities that can remove data or alter remote state.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The file can generate new media artifacts (audio, slides, infographics), which goes beyond the advertised notebook-query functionality. In an agent setting, undeclared generation features can be abused for cost-incurring actions, unwanted content creation, or workflow manipulation because the operator may not realize the skill has write/create semantics.

Description-Behavior Mismatch

Low

Confidence: 84% confidence
Finding: The code supports downloading remote artifacts to arbitrary local file paths, but this local file write behavior is not reflected in the query-oriented description. In a trusted-agent context, undeclared file-write capability increases risk because it can be used to overwrite files, place unexpected content on disk, or facilitate data exfiltration workflows under misleading expectations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal