Security Audit

notebooklm

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

notebooklm received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 29 findings: 13 critical, 15 high, 1 medium, and 0 low severity. Key findings include Arbitrary command execution, Unsafe deserialization / dynamic eval, Dangerous tool allowed: Bash.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

Static Code Analysis

Dependency Graph

100%

LLM Behavioral Safety

85%

Behavioral Risk Signals

Filesystem Write

1 finding

Shell Execution

29 findings

Dynamic Code

2 findings

Excessive Permissions

1 finding

Security Findings29

Severity	Finding	Layer	Location
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/seanphan/notebooklm/scripts/__init__.py:53
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/seanphan/notebooklm/scripts/__init__.py:65
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/seanphan/notebooklm/scripts/local_analyzer.py:49
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/seanphan/notebooklm/scripts/quick_query.py:38
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/seanphan/notebooklm/scripts/run.py:38
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/seanphan/notebooklm/scripts/run.py:91
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/seanphan/notebooklm/scripts/setup_environment.py:54
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/seanphan/notebooklm/scripts/setup_environment.py:62
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/seanphan/notebooklm/scripts/setup_environment.py:75
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/seanphan/notebooklm/scripts/setup_environment.py:132
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/seanphan/notebooklm/scripts/setup_notebooklm.py:21
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/seanphan/notebooklm/scripts/setup_notebooklm.py:28
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/seanphan/notebooklm/scripts/setup_notebooklm.py:43
HIGH	Dangerous tool allowed: Bash The skill allows the 'Bash' tool without constraints. This grants arbitrary command execution. Remove unconstrained shell/exec tools from allowed-tools, or add specific command constraints.	Static	skills/seanphan/notebooklm/SKILL.md:1
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'ensure_venv_and_run'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/seanphan/notebooklm/scripts/__init__.py:53
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'ensure_venv_and_run'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/seanphan/notebooklm/scripts/__init__.py:65
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'main'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/seanphan/notebooklm/scripts/local_analyzer.py:49
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'main'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/seanphan/notebooklm/scripts/quick_query.py:38
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'ensure_venv'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/seanphan/notebooklm/scripts/run.py:38
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'main'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/seanphan/notebooklm/scripts/run.py:91
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_script'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/seanphan/notebooklm/scripts/setup_environment.py:132
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'ensure_venv'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/seanphan/notebooklm/scripts/setup_environment.py:54
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'ensure_venv'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/seanphan/notebooklm/scripts/setup_environment.py:62
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'ensure_venv'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/seanphan/notebooklm/scripts/setup_environment.py:75
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'main'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/seanphan/notebooklm/scripts/setup_notebooklm.py:21
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'main'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/seanphan/notebooklm/scripts/setup_notebooklm.py:28
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'main'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/seanphan/notebooklm/scripts/setup_notebooklm.py:43
HIGH	Arbitrary script execution via path traversal in `run.py` The `scripts/run.py` script takes a `script_name` from command-line arguments and constructs a path to the script using `skill_dir / "scripts" / script_name`. This allows for path traversal sequences (e.g., `../`) in `script_name` to resolve to executable files outside the intended `scripts` subdirectory. For example, if an attacker could place a malicious script like `evil.sh` in the skill's root directory, they could then execute it via `python run.py ../evil.sh`. Since the skill has `Bash` permission, this constitutes a command injection vulnerability, allowing for arbitrary code execution on the host system. Sanitize `script_name` to prevent path traversal. Ensure that the resolved `script_path` is strictly a child of `skill_dir / "scripts"`. This can be achieved by resolving the path and checking its `is_relative_to()` property, or by strictly validating `script_name` to ensure it does not contain path separators or traversal sequences.	LLM	scripts/run.py:40
MEDIUM	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/seanphan/notebooklm/scripts/__init__.py:4

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/d36045f995c88d00.svg)](https://skillshield.io/report/d36045f995c88d00)