Back to skill

Security audit

Anything To Notebooklm

Security checks across malware telemetry and agentic risk

Overview

This skill appears useful for turning files and web content into NotebookLM-style outputs, but it asks for broad file and web-ingestion authority with under-disclosed external uploads and a persistent third-party MCP setup.

Install only if you are comfortable with the skill sending selected documents, URLs, OCR/transcribed text, and search-derived material to NotebookLM and with adding a third-party WeChat MCP server to your global agent configuration. Avoid sensitive, regulated, confidential, or large archive inputs unless the skill gives a clear preflight list of exactly what will be processed and uploaded.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill promotes use of a separate MCP server specifically to bypass WeChat anti-scraping protections. Bypass tooling increases legal, policy, and security risk because it encourages running unvetted automation against protected content and expands attack surface through an auxiliary server process.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill tells users to modify the global Claude configuration to register a new MCP server. Editing global config is an environment-changing action with persistent effects beyond this skill, and it is not clearly necessary for a basic document-processing workflow from the user's perspective.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Automatic ZIP extraction and bulk processing of arbitrary local files broadens the skill from targeted document ingestion into generalized archive handling. That increases risk of processing unexpected sensitive files, decompression bombs, or unsafe file names if later implemented naively.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The installer clones and later instructs configuration of an additional MCP server from a third-party GitHub repository, expanding the skill's trust boundary and introducing remote code into the local environment. While WeChat article ingestion is loosely related to the skill's multi-source content goal, silently adding a separate server process is more privileged than the manifest suggests and creates supply-chain and capability-expansion risk.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger examples are broad natural-language phrases such as '生成播客' and '做成PPT', which overlap with ordinary conversation and can cause unintended skill activation. In an agent environment, this increases the chance that unrelated user text, pasted content, or prompt-injected material will be interpreted as an instruction to fetch, process, and upload content.

Vague Triggers

Medium
Confidence
94% confidence
Finding
Claiming '完全自然语言,无需记命令' without constraints encourages implicit activation from common phrasing. That makes the skill more dangerous because it handles sensitive local files, web retrieval, and external uploads, so ambiguous language can lead to unintended data processing or exfiltration to NotebookLM.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explains that content is uploaded to NotebookLM but does not present a prominent warning that user-provided material will be sent to an external service. This is dangerous because users may reasonably assume local-only handling for files, articles, or notes and disclose sensitive data without informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The batch-processing and multi-source examples normalize combining local files, URLs, and search-derived content into a single report without a clear external-transmission warning. This is more dangerous in context because aggregation can sweep large amounts of sensitive information into one upload, magnifying privacy, confidentiality, and compliance impact.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad enough to overlap with ordinary conversational requests, making accidental invocation plausible. Because the skill can upload content, read files, and generate outputs, unintended activation could cause data to be sent to third-party services without clear intent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Using generic search requests as activation criteria is ambiguous and collides with normal assistant search behavior. In this skill, that ambiguity matters because search results are not just shown to the user but may be summarized, saved locally, and uploaded to NotebookLM automatically.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill description does not clearly warn that supplied URLs, files, and extracted text are uploaded to NotebookLM and that derived artifacts are written to local storage. This omission undermines informed consent, especially when the inputs may contain confidential documents, private notes, or copyrighted materials.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill extracts text and metadata from images, scanned PDFs, and audio, but does not warn users that OCR/transcription may capture sensitive content such as names, IDs, locations, or embedded metadata. This makes accidental exposure more likely when those materials are uploaded or echoed back in outputs.

Ssd 3

Medium
Confidence
93% confidence
Finding
The workflow instructs the agent to preserve and expose extracted metadata and source-derived details in saved files and user-facing responses without any sensitivity filtering. In a skill that handles documents, images, audio, and web content, that can leak personally identifiable information, document metadata, or sensitive business content into local files and third-party systems.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.