Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Notebooklm
v0.1.0Use this skill to query your Google NotebookLM notebooks directly from Claude Code for source-grounded, citation-backed answers from Gemini. Browser automation, library management, persistent auth. Drastically reduced hallucinations through document-only responses.
⭐ 15· 6.4k·52 current·54 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and description (querying Google NotebookLM via browser automation and persisting auth) align with the included scripts. It legitimately needs browser automation, a persistent profile, and cookie handling to preserve NotebookLM sessions. Minor mismatch: the registry declared no required binaries/env, yet the code auto-installs dependencies and requires real Chrome (not just Chromium) and patchright; this behavior is implemented in the code rather than declared in metadata.
Instruction Scope
SKILL.md instructs the agent to open browser sessions, query notebooks (including an automated 'Smart Add' that queries the notebook to discover its contents), and to run follow-up questions repeatedly until 'complete'. These are within the stated purpose but permit autonomous, repeated access to user notebooks and will cause the agent to read and transmit notebook content to the automation process. The instructions also require always using the run.py wrapper; combined with module behavior (see install) this can cause unexpected side effects when code is imported or executed.
Install Mechanism
There is no declared install spec in the registry, but the code itself creates a .venv, pip-installs requirements.txt and invokes patchright to install Chromium. Notably, scripts/__init__.py runs ensure_venv_and_run() on import, meaning environment creation and network downloads may happen implicitly when the module is imported or when a script is executed. Downloading browser binaries and packages at runtime is expected for browser automation but increases risk because it fetches external components automatically.
Credentials
The skill declares no required environment variables or primary credential, but it persists and uses Google session cookies in a browser profile and state.json stored under ~/.claude/skills/notebooklm/data/. Those cookies effectively act as credentials and grant broad access to the Google account used (potentially beyond NotebookLM). The code's cookie-injection workaround (manual add_cookies) is plausible for the stated purpose, but storing and reusing session cookies is a high-sensitivity capability that should be proportionally protected and explicitly disclosed to users.
Persistence & Privilege
The skill persists a virtual environment, browser profile, and state.json in the skill data directory and can re-use those for later runs. While always:false (not force-installed), the code's import-time behavior that creates/installs the venv and browser can cause persistent changes without explicit separate installation steps. The skill does not modify other skills, but persistent cookie/profile storage grants ongoing access to the user's Google session and should be considered a long-lived privilege.
What to consider before installing
What to consider before installing/running this skill:
- Function matches purpose, but review the code first: the skill will create a .venv and download/install Python packages and a browser binary (patchright/chromium) automatically when its scripts run or are imported. Expect network downloads and filesystem changes in the skill folder.
- Persistent Google session: The skill stores a browser profile and state.json (cookies). Those files let the skill act with your Google account session and could be used to access other Google services. Only use a dedicated account for automation, and inspect/secure the data directory (~/.claude/skills/notebooklm/data/).
- Implicit installs: scripts/__init__.py triggers environment setup on import; that can run without an explicit 'install' step. If you want to review or control installation, run the code in an isolated environment (VM/container) first.
- Privacy and scope: 'Smart Add' will query notebooks to discover their contents automatically—ensure you want the agent to read that data. The follow-up loop can cause multiple automated queries; watch rates and logs.
- Safety steps you can take: audit the code before use; run it in a disposable VM or container; ensure file permissions limit access to the browser profile/state files; after use, clear auth with auth_manager.py clear or delete the data directory; monitor outgoing network traffic while testing.
- What would increase risk to 'malicious': evidence of obfuscated code, hard-coded external exfil endpoints, or scripts that upload state.json/profile to third-party servers. If you see such signs, do not run the skill.
Confidence note: medium — the code appears coherent with its stated purpose, but the automatic install behavior, persistent session cookie handling, and implicit side-effects on import are notable risks that merit manual review and cautious execution.Like a lobster shell, security has layers — review code before you run it.
latestvk976ktrckbrseyg199c0cs7kqd801vym
License
MIT-0
Free to use, modify, and redistribute. No attribution required.