Trust Assessment
notebooklm received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 22 findings: 8 critical, 10 high, 3 medium, and 1 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Network egress to untrusted endpoints.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings22
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/productivity/notebooklm/scripts/__init__.py:53 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/productivity/notebooklm/scripts/__init__.py:65 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/productivity/notebooklm/scripts/run.py:38 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/productivity/notebooklm/scripts/run.py:91 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/productivity/notebooklm/scripts/setup_environment.py:54 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/productivity/notebooklm/scripts/setup_environment.py:62 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/productivity/notebooklm/scripts/setup_environment.py:75 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/productivity/notebooklm/scripts/setup_environment.py:132 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'ensure_venv_and_run'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/productivity/notebooklm/scripts/__init__.py:53 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'ensure_venv_and_run'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/productivity/notebooklm/scripts/__init__.py:65 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'ensure_venv'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/productivity/notebooklm/scripts/run.py:38 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'main'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/productivity/notebooklm/scripts/run.py:91 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_script'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/productivity/notebooklm/scripts/setup_environment.py:132 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'ensure_venv'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/productivity/notebooklm/scripts/setup_environment.py:54 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'ensure_venv'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/productivity/notebooklm/scripts/setup_environment.py:62 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'ensure_venv'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/productivity/notebooklm/scripts/setup_environment.py:75 | |
| HIGH | Unvalidated User-Controlled URL in Browser Navigation The `ask_question.py` script directly uses a user-provided `notebook_url` in `page.goto()`. If the host LLM allows arbitrary URLs to be passed as `--notebook-url`, a malicious URL (e.g., `javascript:alert(document.domain)` or `data:text/html,<script>alert(1)</script>`) could be executed within the browser context controlled by the skill. This could lead to client-side code execution or other browser-based attacks. Implement strict validation for the `notebook_url` argument to ensure it matches the expected domain (e.g., `https://notebooklm.google.com/`) before navigating the browser. This should be done in `ask_question.py` and `browser_session.py`. | LLM | scripts/ask_question.py:67 | |
| HIGH | Unvalidated User-Controlled URL in Browser Navigation (Browser Session) The `browser_session.py` script directly uses a user-provided `notebook_url` in `self.page.goto()`. If the host LLM allows arbitrary URLs to be passed, a malicious URL (e.g., `javascript:alert(document.domain)`) could be executed within the browser context controlled by the skill. This is a client-side code execution risk. Implement strict validation for the `notebook_url` argument to ensure it matches the expected domain (e.g., `https://notebooklm.google.com/`) before navigating the browser. This should be done in `ask_question.py` and `browser_session.py`. | LLM | scripts/browser_session.py:56 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| MEDIUM | Unsanitized User Input Typed into Web Page The `ask_question.py` script directly types user-provided `question` text into a web input field using `StealthUtils.human_type()`. If the target web application (NotebookLM) is vulnerable to Cross-Site Scripting (XSS), a malicious `question` string (e.g., containing `<script>`) could execute arbitrary JavaScript within the browser context. While this exploits a vulnerability in the target application, the skill acts as a direct conduit for unsanitized user input. Consider implementing input sanitization or encoding for the `question` string before it is typed into the web page, especially if the target application's XSS defenses are unknown or weak. Alternatively, ensure the host LLM is strictly instructed to prevent malicious input in the `question` parameter. | LLM | scripts/ask_question.py:96 | |
| MEDIUM | Unsanitized User Input Typed into Web Page (Browser Session) The `browser_session.py` script directly types user-provided `question` text into a web input field using `self.stealth.human_type()`. If the target web application (NotebookLM) is vulnerable to Cross-Site Scripting (XSS), a malicious `question` string could execute arbitrary JavaScript within the browser context. The skill acts as a direct conduit for unsanitized user input. Consider implementing input sanitization or encoding for the `question` string before it is typed into the web page, especially if the target application's XSS defenses are unknown or weak. Alternatively, ensure the host LLM is strictly instructed to prevent malicious input in the `question` parameter. | LLM | scripts/browser_session.py:108 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/6300656444226753)
Powered by SkillShield