Trust Assessment
nlm-skill received a trust score of 67/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 2 high, 1 medium, and 0 low severity. Key findings include Unsafe Shell Command Construction, Potential Arbitrary File Exfiltration, Unsafe Credential Handling Instructions.
The analysis covered 4 layers: manifest_analysis, llm_behavioral_safety, dependency_graph, static_code_analysis. The llm_behavioral_safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 9, 2026 (commit 2dc386d2). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unsafe Shell Command Construction The skill explicitly instructs the agent to use the `bash` tool to execute `nlm` CLI commands when MCP tools are unavailable. This requires the agent to construct shell commands from user input (e.g., notebook titles, URLs) without enforcing strict sanitization. This pattern is highly vulnerable to command injection, as the LLM may fail to properly escape special characters in user inputs. Remove the instruction to use the raw `bash` tool. Instead, rely exclusively on structured MCP tools. If CLI interaction is required, wrap the CLI calls in a secure MCP tool that uses `subprocess.run` with `shell=False` and handles argument passing programmatically. | Unknown | SKILL.md:22 | |
| HIGH | Potential Arbitrary File Exfiltration The skill exposes functionality to upload local files to an external cloud service (Google NotebookLM) via the `source_add` tool with `source_type='file'`. The documentation does not specify any path restrictions, potentially allowing the agent to read and upload arbitrary sensitive files (e.g., SSH keys, configuration files) from the host filesystem to the cloud. Restrict the `file_path` parameter in the `source_add` tool to a specific allowlisted directory (e.g., a sandboxed workspace). Reject absolute paths or paths containing `..` traversal sequences. | Unknown | SKILL.md:135 | |
| MEDIUM | Unsafe Credential Handling Instructions The skill documentation instructs users to manually extract raw session cookies from Chrome DevTools and paste them into the chat interface to use the `mcp__notebooklm-mcp__save_auth_tokens` tool. This practice exposes sensitive authentication tokens to the conversation history, logs, and potentially the model provider. Avoid instructing users to paste raw credentials into the chat. Use a secure local authentication flow (like the `nlm login` command launching a browser locally) that handles tokens outside of the conversation context, or implement a secrets management integration. | Unknown | SKILL.md:53 |
Scan History
Embed Code
[](https://skillshield.io/report/75eb536480df49df)
Powered by SkillShield