Security audit

X To Notebooklm

Security checks across malware telemetry and agentic risk

Overview

The skill has a clear X-to-NotebookLM purpose, but it needs review because crafted inputs can reach shell commands and uploaded content may remain in local temp files.

Review before installing or running. Only use trusted, non-sensitive public URLs and simple notebook names/IDs; assume the URL and fetched page content will be sent to r.jina.ai and Google NotebookLM. Verify the separate NotebookLM CLI yourself, and delete temp files manually until shell handling and cleanup are fixed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The documentation says the skill is for X/Twitter articles, but the test result shows successful ingestion of a GitHub URL, which strongly suggests the underlying workflow can fetch and upload arbitrary URLs. This mismatch is dangerous because users may apply the skill to sensitive or unintended web content without realizing it broadens the data-transfer surface to r.jina.ai and NotebookLM.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill description does not clearly warn that submitted URLs and extracted content are transmitted to r.jina.ai and then uploaded into NotebookLM, both of which are third-party services. This creates a privacy and data-handling risk because users may unknowingly send private, copyrighted, regulated, or sensitive material outside their expected trust boundary.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The script writes fetched content to a temporary local file and uploads it to NotebookLM without an explicit confirmation step or clear warning at the point of action. This can cause unintended disclosure of sensitive or private content if a user supplies the wrong URL or does not realize the data will be persisted locally and transmitted to a third-party service.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script sends the user-provided X URL to r.jina.ai, which is a third-party proxy/fetching service, without an explicit warning or consent flow. Even if the target content is public, the URL itself and access pattern may be sensitive, and users may reasonably expect direct retrieval rather than routing through an external service.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal