ClawHub

NotebookLM Content Creation

Security checks across malware telemetry and agentic risk

Overview

The skill appears intended to automate NotebookLM artifact creation, but it uses an existing account session and detached background polling with too little user control or disclosure.

Review before installing. Use this only in an environment where you are comfortable with the existing NotebookLM account being used, and confirm notebook IDs, artifact types, and output paths explicitly. Watch for leftover background polling processes and temporary files after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The skill claims to handle Audio, Video, Infographics, and Slides, but the polling script hard-codes `nlm download audio` for every completed artifact. That mismatch can cause incorrect downloads, failed jobs, or writing the wrong artifact type to the requested output path, undermining integrity and potentially exposing or overwriting user data through unsafe assumptions in automation.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill explicitly states that authentication is already present on the server, but it does not warn the user that actions will run under existing NotebookLM account context. In an agent setting, this can lead to unintended access to notebooks, content generation, downloads, or billing-affecting operations against a server-side account the user did not realize would be used.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to write task files under `/tmp`, generate a shell script, and launch a detached background process with `nohup`, but it provides no upfront disclosure or consent boundary for persistent local side effects. In practice, this can surprise users, leave long-running processes behind, and create recoverability and forensic issues if multiple jobs accumulate or if sensitive metadata is written to world-accessible temporary locations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal