Trust Assessment
nlm-skill received a trust score of 52/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Potential Command Injection via `bash` execution, Sensitive `save_auth_tokens` function documented.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on May 1, 2026 (commit 3711e782). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | src/notebooklm_tools/data/SKILL.md:127 | |
| HIGH | Potential Command Injection via `bash` execution The skill extensively documents and instructs the use of `bash` commands to interact with the `nlm` CLI. Many `nlm` commands accept user-provided strings as arguments (e.g., notebook titles, source content, query questions, custom prompts, file paths for export). If the LLM constructs these `bash` commands by directly interpolating untrusted user input without proper shell escaping, a malicious user could inject arbitrary shell commands. For example, a user providing a notebook title like `My Notebook"; rm -rf /; echo "` could lead to command execution on the host system. The LLM implementation must ensure all user-provided arguments passed to `bash` commands are properly shell-escaped to prevent command injection. For example, using `shlex.quote()` in Python or an equivalent function in other languages when constructing the command string before execution. | LLM | SKILL.md:100 | |
| MEDIUM | Sensitive `save_auth_tokens` function documented The skill documents an MCP tool `mcp__notebooklm-mcp__save_auth_tokens(cookies="<cookie_header>")` which explicitly takes a `cookies` string for authentication. While presented as a fallback authentication method, this function could be misused. If the LLM is prompted to extract its own sensitive session cookies and pass them to this function, or if a malicious user could supply a crafted cookie string, it could lead to credential exposure or session hijacking. The skill itself doesn't perform the harvesting, but it exposes a sensitive capability that handles authentication tokens directly. Implement strict input validation and access controls for the `save_auth_tokens` function. Ensure that the `cookies` parameter is never populated from untrusted user input or from the LLM's own sensitive session data without explicit user confirmation and robust sanitization. Prefer the `nlm login` command for authentication, which handles cookie extraction securely. | LLM | SKILL.md:154 |
Scan History
Embed Code
[](https://skillshield.io/report/75eb536480df49df)
Powered by SkillShield