Please report security issues through GitHub Private Security Advisories for this repository. Do not open a public issue for a suspected vulnerability.
When reporting, include:
- The affected version or commit.
- The tool or script involved (for example
tools/fetch_snapshot.py). - A minimal reproduction, if available.
- The expected impact and any known workaround.
This repository is a documentation-and-tooling kit. The security-relevant
surface is the Python in tools/:
In scope:
- Unsafe URL handling or request behavior in
tools/fetch_snapshot.py(it fetches arbitrary user-supplied URLs over HTTP and converts the response to Markdown). - Path traversal or unsafe writes caused by the
--outpath offetch_snapshot.pyor the scaffold paths oftools/scaffold_topic.py. - Any code path that writes outside the intended topic directory.
Out of scope:
- Copyright compliance of any corpus you build. This repo ships without a
corpus. When you fetch documentation snapshots into
topics/*/corpus/, you are responsible for respecting the source's license and terms; keep a corpus-filled clone private and do not redistribute it. This is a usage responsibility, not a vulnerability in this project. - The behavior of NotebookLM or any third-party documentation site you fetch.
- Vulnerabilities in
markdownify, Python, or the operating system itself. - Content you choose to upload to NotebookLM.
- Report the issue through GitHub Private Security Advisories.
- The maintainer acknowledges receipt and confirms the affected scope.
- A fix is prepared privately and a regression check is added when practical.
- A patched release is published.
- The advisory is published with impact, affected versions, and mitigation details.