中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:1 天前 重新扫描
5 /100
nlm-cli
Automates NotebookLM operations using Jacob Brown's notebooklm-mcp-cli (nlm command), including notebooks, sources, studio content, downloads, research, and MCP/AI tool configuration.
This is a straightforward, well-documented wrapper skill for the open-source `notebooklm-mcp-cli` (nlm) tool. All capabilities — shell execution via spawnSync, CLI installation, and Google account authentication — are explicitly declared in documentation with no hidden functionality.
技能名称nlm-cli
分析耗时29.6s
引擎pi
可以安装
No action needed. This skill is safe to use.
资源类型声明权限推断权限状态证据
命令执行 WRITE WRITE ✓ 一致 SKILL.md documents wrapper script execution; scripts/nlm.mjs:40 uses spawnSync t…
文件系统 NONE NONE No filesystem access beyond skill directory; no sensitive paths accessed
网络访问 NONE NONE No outbound network calls from wrapper; nlm CLI itself makes API calls to Google…
环境变量 NONE NONE Reads NLM_BIN env var and PATH only — standard for resolving executables, no sen…
技能调用 NONE NONE No cross-skill invocation
剪贴板 NONE NONE Not accessed
浏览器 NONE NONE nlm CLI uses browser-based CDP auth (OpenClaw) which is declared in docs, but th…
数据库 NONE NONE Not accessed
1 项发现
🔗
中危 外部 URL 外部 URL
http://127.0.0.1:18800
references/install-and-auth.md:51

目录结构

4 文件 · 14.2 KB · 339 行
Markdown 3f · 291L JavaScript 1f · 48L
├─ 📁 references
│ ├─ 📝 cli-commands.md Markdown 138L · 6.5 KB
│ └─ 📝 install-and-auth.md Markdown 99L · 2.9 KB
├─ 📁 scripts
│ └─ 📜 nlm.mjs JavaScript 48L · 1.6 KB
└─ 📝 SKILL.md Markdown 54L · 3.2 KB

依赖分析 1 项

包名版本来源已知漏洞备注
notebooklm-mcp-cli * pip / uv tool Jacob Brown's open-source CLI; version not pinned, but this is standard for CLI tools

安全亮点

✓ All capabilities are explicitly declared in SKILL.md and supporting documentation
✓ No obfuscation, base64-encoded payloads, or anti-analysis techniques
✓ No credential harvesting or environment variable enumeration
✓ No sensitive file/path access (~/.ssh, ~/.aws, .env, etc.)
✓ No remote script execution (curl|bash, wget|sh)
✓ No supply chain risks detected — uses a known public npm/pip package
✓ The wrapper script (scripts/nlm.mjs) is a simple, readable 48-line Node.js script with no hidden logic
✓ stdio inheritance is appropriate for a CLI wrapper tool