NotebookLM Ops
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: notebooklm-ops Version: 1.0.0 This skill is classified as suspicious due to its high-privilege access requirements and reliance on unprovided external scripts. It explicitly requires access to a pre-logged-in Chromium profile, granting it access to Google session cookies and other browser data. The skill uses Chrome DevTools Protocol (CDP), a powerful interface capable of extensive browser control and data extraction. While the provided `SKILL.md` and wrapper scripts (`notebooklm-on.sh`, `notebooklm-off.sh`, `notebooklm-smoke.sh`, `notebooklm-status.sh`) do not show explicit malicious intent, the core logic for GUI control and authentication refresh is delegated to external, unprovided scripts (e.g., `/home/moltuser/clawd/scripts/refresh-google-mcp-cookies.sh`, `/home/moltuser/clawd/scripts/notebooklm-remote-gui.sh`, and scripts within `/home/moltuser/clawd/skills/notebooklm-mcp`). This creates a significant vulnerability where a compromised or malicious external script could easily exfiltrate sensitive browser data or perform unauthorized actions, despite the stated benign purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent and its helper scripts may operate with your logged-in Google session for NotebookLM, and possibly other Google-accessible browser state in that profile.
The skill explicitly relies on a logged-in Google browser profile/session, but the artifacts do not clearly bound the exact profile, cookie scope, credential handling, or resulting account authority.
A one-time manual login in Chromium to Google/NotebookLM is required. After that, this skill keeps refresh automated by reusing the same browser profile/session.
Use a dedicated Chromium profile or dedicated Google account, review the helper scripts first, and require explicit user approval before auth refresh actions.
Installing the skill would depend on local scripts whose behavior and provenance are not included in this review, even though they handle sensitive auth and browser automation.
The packaged ON script is a thin wrapper that executes an absolute-path helper outside the supplied manifest, so the main startup/auth-refresh behavior is not visible in the reviewed artifacts.
/home/moltuser/clawd/scripts/notebooklm-on.sh
Do not use until the referenced helper scripts are included, pinned, or manually audited in the target environment.
If CDP or VNC are exposed beyond the intended local user, another process or user could potentially control the authenticated browser session.
The skill uses browser-debugging and remote-GUI control surfaces around an authenticated browser session, but the artifacts do not specify binding, authentication, or access-control limits.
Linux host with Chromium and CDP (`--remote-debugging-port=9222`). Virtual display stack: **Xvfb + openbox + x11vnc**.
Bind CDP and VNC to localhost or otherwise secure them, avoid shared hosts, and shut the stack down when finished.
An authenticated browser and remote GUI stack may continue running after the initial command if not explicitly stopped.
The skill intentionally starts background GUI/browser services; this is disclosed and purpose-aligned, but users should understand that services may remain active until the OFF command runs.
Start GUI/CDP stack (Xvfb + openbox + x11vnc + Chromium).
Run the OFF command after use and verify that Chromium, x11vnc, Xvfb, and openbox processes are stopped.