Trust Assessment
notebooklm received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 20 findings: 10 critical, 8 high, 1 medium, and 0 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Prompt Injection via Tool Output.
The analysis covered 4 layers: dependency_graph, llm_behavioral_safety, static_code_analysis, manifest_analysis. The static_code_analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 15, 2026 (commit 3e75fabd). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings20
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-_1fvj40u/repo/skills/notebooklm/scripts/__init__.py:53 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-_1fvj40u/repo/skills/notebooklm/scripts/__init__.py:65 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-_1fvj40u/repo/skills/notebooklm/scripts/run.py:38 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-_1fvj40u/repo/skills/notebooklm/scripts/run.py:91 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-_1fvj40u/repo/skills/notebooklm/scripts/setup_environment.py:54 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-_1fvj40u/repo/skills/notebooklm/scripts/setup_environment.py:62 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-_1fvj40u/repo/skills/notebooklm/scripts/setup_environment.py:75 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-_1fvj40u/repo/skills/notebooklm/scripts/setup_environment.py:132 | |
| CRITICAL | Prompt Injection via Tool Output The skill's output, specifically the 'EXTREMELY IMPORTANT: Is that ALL you need to know?' phrase, is followed by explicit instructions to the host LLM (Claude Code) to 'STOP', 'ANALYZE', 'IDENTIFY GAPS', 'ASK FOLLOW-UP', 'REPEAT', and 'SYNTHESIZE'. This is a direct attempt to control the LLM's conversational flow and decision-making process based on tool output, which constitutes a prompt injection vulnerability. The LLM is being instructed to override its default behavior and engage in a specific multi-step follow-up process. Remove explicit instructions to the host LLM from tool output. Instead, design the skill to return raw data or a neutral summary, allowing the LLM to decide on follow-up actions based on its own reasoning and user context. If specific follow-up logic is desired, it should be implemented within the skill's internal logic or as part of the LLM's prompt engineering, not as an instruction embedded in tool output. | Unknown | SKILL.md:109 | |
| CRITICAL | Prompt Injection via Tool Output (ask_question.py) The `ask_notebooklm` function in `ask_question.py` appends a `FOLLOW_UP_REMINDER` string to its output. This string contains explicit instructions to the host LLM, such as 'EXTREMELY IMPORTANT: Is that ALL you need to know? ... before you reply to the user, review their original request and this answer. If anything is still unclear or missing, ask me another comprehensive question...'. This is a direct attempt to control the LLM's behavior and decision-making process based on tool output, which is a form of prompt injection. Remove explicit instructions to the host LLM from the tool's output. The tool should return factual information or raw data, and the LLM should be responsible for interpreting that information and deciding on subsequent actions or responses to the user. If specific follow-up behavior is desired, it should be managed through the LLM's system prompt or internal logic, not by injecting instructions into tool results. | Unknown | scripts/ask_question.py:37 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'ensure_venv_and_run'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /tmp/skillscan-clone-_1fvj40u/repo/skills/notebooklm/scripts/__init__.py:53 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'ensure_venv_and_run'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /tmp/skillscan-clone-_1fvj40u/repo/skills/notebooklm/scripts/__init__.py:65 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'ensure_venv'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /tmp/skillscan-clone-_1fvj40u/repo/skills/notebooklm/scripts/run.py:38 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'main'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /tmp/skillscan-clone-_1fvj40u/repo/skills/notebooklm/scripts/run.py:91 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_script'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /tmp/skillscan-clone-_1fvj40u/repo/skills/notebooklm/scripts/setup_environment.py:132 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'ensure_venv'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /tmp/skillscan-clone-_1fvj40u/repo/skills/notebooklm/scripts/setup_environment.py:54 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'ensure_venv'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /tmp/skillscan-clone-_1fvj40u/repo/skills/notebooklm/scripts/setup_environment.py:62 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'ensure_venv'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /tmp/skillscan-clone-_1fvj40u/repo/skills/notebooklm/scripts/setup_environment.py:75 | |
| MEDIUM | Browser Sandbox Disabled The browser is launched with the `--no-sandbox` argument, as specified in `scripts/config.py` and used by `BrowserFactory` in `scripts/browser_utils.py`. Disabling the browser sandbox significantly reduces the security isolation between the browser process and the underlying operating system. While common in containerized environments, it increases the risk of a successful browser exploit (e.g., through a malicious webpage or a compromised NotebookLM link) leading to a more severe compromise of the host system or skill environment. Evaluate if `--no-sandbox` is strictly necessary. If running in a container, ensure the container itself provides sufficient isolation. If not, consider removing this argument to enable the browser's native sandboxing, which provides a critical layer of defense against web-based attacks. If it must be disabled, ensure all navigated URLs are strictly controlled and validated. | Unknown | scripts/config.py:29 | |
| INFO | Use of Specialized Browser Automation Library The skill relies on `patchright` for browser automation, which is a specialized library designed for anti-detection features and installing a specific browser (Chrome). While dependencies are pinned, `patchright` is less common than standard libraries like Playwright or Selenium. Its nature of deeply interacting with browser internals and installing system-level components (Chrome) introduces a supply chain risk. A compromise in the `patchright` library or its distribution could lead to malicious code execution or data exfiltration during skill setup or operation. Regularly monitor the `patchright` project for security vulnerabilities and updates. Ensure the source of `patchright` is trusted. Consider if the anti-detection features are strictly necessary, as they add complexity and potential attack surface. If possible, use more widely adopted and audited browser automation libraries. | Unknown | requirements.txt:5 |
Scan History
Embed Code
[](https://skillshield.io/report/c72b37e672662685)
Powered by SkillShield