Skillv1.0.1

ClawScan security

NotebookLM Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 21, 2026, 2:58 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches its stated purpose (NotebookLM integration) but includes surprising elements and risky behaviors (bundled code despite being advertised as instruction-only, automatic dependency installs, persisted Google auth tokens, and a Z-Library downloader) that merit user review before installing.
Guidance: This skill is functionally coherent as a NotebookLM integration, but it contains a real codebase (not just prose) that will auto-create a virtualenv, install Python/Node dependencies, launch a local browser daemon, persist Google auth tokens/cookies to disk, and can download from third-party sources (including a Z-Library downloader). Before installing: 1) Review the repository source (especially auth_manager.py, agent_browser integrations, and zlibrary/downloader.py). 2) Consider using a dedicated Google account for automation and do not commit the data/ directory. 3) If you are uncomfortable with automatic dependency installs or token persistence, run the code in a sandbox or inspect/modify run.py to control installs. 4) Be aware of legal/ethical issues around Z-Library downloads. 5) If you allow autonomous invocation, remember a malicious or buggy skill with persisted credentials and a long-lived daemon has broader impact—limit exposure accordingly.

Review Dimensions

Purpose & Capability: concernThe skill claims to be an instruction-only NotebookLM helper but actually packages a large multi-file codebase (21+ scripts and helpers). That by itself is not malicious, but the registry metadata vs. included files is inconsistent. The feature set (browser automation, API wrapper, file uploads, Z-Library downloader) aligns with the README/SKILL.md, but the presence of a Z-Library download path and downloader module is unexpected for many users and raises legal/ethical concerns distinct from security.
Instruction Scope: concernRuntime instructions direct automatic creation of a .venv, pip/npm installs, launching an agent-browser daemon (headed browser) for Google login, and persisting auth tokens/cookies to data/*. The skill also supports folder sync and an upload-zlib command that will download from third-party sites. While these actions are relevant to NotebookLM integration, they require broad local file access, network downloads, and persistence of sensitive credentials—behaviors that deserve explicit user consent and review before execution.
Install Mechanism: noteThere is no registry 'install' spec, but scripts/run.py auto-creates a virtualenv and runs pip/npm installs and browser installation steps. This means code and third-party packages will be fetched and executed locally (including Playwright/agent-browser assets). That is expected for browser-automation skills but increases risk compared to a pure instruction-only skill because remote packages and binaries will be downloaded and executed.
Credentials: concernThe registry metadata lists no required environment variables, but the code/documentation accept and persist Google auth tokens and cookies (NOTEBOOKLM_AUTH_TOKEN, NOTEBOOKLM_COOKIES) and use settings like AGENT_BROWSER_OWNER_PID, TIMEOUT_SECONDS, proxy env vars. Persisting NotebookLM/Google tokens to data/auth/google.json is sensitive and proportionate for a client, but users should be aware the skill stores and can reuse credentials. The optional Z-Library auth and downloader further broaden required network access and credentials scope for certain features.
Persistence & Privilege: notealways:false (good). The skill runs a long-lived agent-browser daemon while in use and persists session/cookie/token files in data/ and data/agent_browser/storage_state.json. It does not appear to request elevated system-wide privileges or change other skills' configs, but the persisted credentials and daemon socket files create a longer-lived access surface that should be considered when granting the skill autonomous invocation.