Back to skill

Security audit

Deep Research → NotebookLM Orchestrator

Security checks across malware telemetry and agentic risk

Overview

The skill does what it advertises, but users should notice that it can continue through a background agent handoff after the first confirmation.

Install only if you are comfortable with a workflow that starts after one confirmation, runs bounded background polling scripts, sends Discord updates, re-invokes an OpenClaw agent to continue the NotebookLM phase, uploads the generated report to NotebookLM, and may write downloads to your ObsidianVault path if you enable downloads. Review the two dependency skills as well, since this orchestrator relies on them for the actual provider actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill goes beyond simple orchestration by sending direct Discord messages and using `openclaw agent` to trigger a fresh agent execution from a background script. That creates an implicit cross-session control channel where untrusted task data such as topic and generated report path are turned into a new agent prompt, increasing the risk of prompt injection, unintended actions, and privilege expansion outside the original user interaction.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The documentation states that all notifications use direct messaging only, but the workflow also performs `trigger_agent`, which launches a new agent action path. This mismatch is dangerous because reviewers and operators may underestimate the skill's autonomy and fail to apply safeguards appropriate for agent-to-agent triggering.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Triggered mode explicitly skips all user confirmations before creating NotebookLM artifacts and potentially downloading files. In this skill, that means a background process can cause additional content generation and filesystem writes after Deep Research completes, even if the generated report or trigger message contains unexpected or adversarial content.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.