Only the latest minor release receives security fixes. Earlier 0.x releases predate the current API surface and are no longer maintained — please upgrade to the latest version.
| Version | Supported |
|---|---|
| 0.4.x | ✅ |
| < 0.4 | ❌ |
If you discover a security vulnerability, please report it by:
- DO NOT open a public GitHub issue
- Email the maintainers directly (see
pyproject.tomlfor contact info) - Include a detailed description of the vulnerability
- Allow reasonable time for a fix before public disclosure
This library stores authentication credentials locally. Please understand these security considerations:
By default, files are stored per-profile under ~/.notebooklm/profiles/<profile>/ (configurable via the NOTEBOOKLM_HOME and NOTEBOOKLM_PROFILE environment variables). Legacy layouts store files directly in the root of ~/.notebooklm/ (representing the default profile):
| File Path | Contents | Permissions |
|---|---|---|
profiles/<profile>/storage_state.json |
Google session cookies | 0o600 (owner-only) |
profiles/<profile>/browser_profile/ |
Playwright Chromium profile | 0o700 (owner-only) |
profiles/<profile>/context.json |
Active profile context / metadata | 0o600 (owner-only) |
config.json |
Global CLI config (e.g. language/active profile) | Default |
storage_state.json (legacy) |
Fallback root storage state (for default profile) |
0o600 (owner-only) |
browser_profile/ (legacy) |
Fallback root Playwright profile | 0o700 (owner-only) |
context.json (legacy) |
Fallback root active notebook context | Default |
-
Protect your credentials
- The
storage_state.jsonfile contains your Google session cookies - Anyone with access to this file can impersonate your Google account to NotebookLM
- Never share, commit, or expose this file
- The
-
Add to .gitignore
.notebooklm/ -
Credential rotation
- Re-run
notebooklm loginperiodically to refresh credentials - Sessions typically last days to weeks before expiring
- Re-run
-
If credentials are compromised
- Immediately revoke access at Google Security Settings
- Delete the
~/.notebooklm/directory - Re-authenticate with
notebooklm login
-
CI/CD usage
- Do not commit credentials to repositories
- Use
NOTEBOOKLM_AUTH_JSONenvironment variable for secure, file-free authentication - Store the JSON value in GitHub Secrets or similar secure secret management
- The env var approach keeps credentials in memory only, never written to disk
- Does not transmit credentials to any third party
- Does not store passwords (uses browser-based OAuth)
- Does not access data outside of NotebookLM
- Does not modify Google account settings
This library uses minimal dependencies:
| Dependency | Purpose | Security Notes |
|---|---|---|
httpx |
HTTP client | Well-maintained, security-focused |
click |
CLI framework | Stable, minimal attack surface |
rich |
Terminal output | Cosmetic, no network access |
playwright |
Browser automation (optional) | Used only for login |
# Install pip-audit
pip install pip-audit
# Run security audit
pip-auditThis library uses Google's internal APIs, which means:
- No official security guarantees from Google
- API changes without notice may break functionality
- Rate limiting may be applied by Google
- Account restrictions are possible for unusual usage patterns
- Sessions are cookie-based (standard web authentication)
- CSRF tokens are required and automatically handled
- No long-lived API keys or OAuth tokens
For security questions that are not vulnerabilities, open a GitHub Discussion.