NotebookLM MCP Server (Security Hardened)
🏆 The World's Most Advanced NotebookLM MCP Server
Zero-hallucination answers • Gemini Deep Research • 17 Security Layers • Enterprise Compliance
What's New 2026 • Deep Research • Document API • Create Notebooks • Security • Install
</div>The only NotebookLM MCP with enterprise-grade security, post-quantum encryption, and full Gemini API integration.
Security-hardened fork of PleasePrompto/notebooklm-mcp • Maintained by Pantheon Security
⚡ TL;DR — What You Get
- 🔍 Query your NotebookLM notebooks — source-grounded, zero-hallucination answers
- 📚 Create & manage notebooks programmatically — no manual clicking
- 🎙️ Generate audio overviews — podcast-style summaries of your docs
- 🎬 Generate video overviews — AI video summaries with 10 visual styles NEW
- 📊 Extract data tables — structured JSON from notebook sources NEW
- 🔬 Gemini 3 + Deep Research — latest models with thinking control (optional API) NEW
- 📄 Document API — upload & query PDFs without browser (optional API)
- 🔐 17 security layers — post-quantum encryption, audit logs, secrets scanning
- ✅ Compliance-ready architecture — built to GDPR, SOC2, and CSSF standards (controls implemented; formal certification requires third-party audit)
- 💡 No API key required — core features work with just browser auth
🚀 What's New in 2026
Latest: v2026.3.1 — All 334 audit issues resolved. 631 tests. Full MCP protocol compliance.
| Version | Highlights |
|---|---|
| v2026.3.1 | Security Audit Complete — All 334 issues from the independent audit resolved. Tests: 609 → 631. Code quality: URL resolution deduplicated, handler extraction, non-null assertions eliminated. Test gaps closed: validateNotebookId, error body shape, delete_document confirm guard, sanitized throws, log rotation, rate-limiter memory bound, range clamping. |
| v2026.3.0 | The Security Audit Release — Four parallel AI code reviews (security, protocol, architecture, testing) against 334 issues. All highs and mediums resolved. Tests: 139 → 609 across 50 files (4.4×). Full MCP protocol compliance: structuredContent, isError, transport tags. Schema bounds on all 48 tools. Annotation correctness. Webhook SSRF fix. Audit log integrity (hash chain, concurrent write lock, rotation continuity). Per-page mutex. HandlerContext DI. Cert pinning retracted (claims aligned with implementation). |
| v2026.2.10 | The Hardening Release — 3 new security layers (14→17): secure-by-default auth, exponential backoff lockout, credential isolation. Architecture overhaul: 3,611-line handler split into 9 domain modules, tool registry pattern. Gemini API retry with backoff. Multi-stage Docker build. Token CLI (token show/rotate). 168 tests. |
| v2026.2.9 | performSetup no longer wipes credentials before Chrome opens — prevents auth destruction on failed launch |
| v2026.2.8 | cleanup_data never deletes auth dirs (browser_state/, chrome_profile/) — auth survives all cleanup paths |
| v2026.2.7 | Block headless setup_auth calls; robust auth-now.mjs standalone script with Chrome profile lock handling |
| v2026.2.6 | New add_folder tool for bulk PDF/file uploads; improved tier detection for NotebookLM Plus |
| v2026.2.5 | Fix show_browser silently ignored in setup_auth — browser now reliably opens for auth |
| v2026.2.4 | Auth stability: 7-day state expiry, touchStateFile on validation, block headless re_auth |
| v2026.2.3 | Studio Panel tools restored: Video Overview, Data Table generation re-enabled |
| v2026.2.1 | Standard profile expanded: 14 → 33 tools — notebook creation, audio, source management now visible by default |
| v2026.2.0 | Gemini 3 models (2.5 retiring March 31), Video Overviews, Data Tables, thinking level, structured JSON, SDK 1.41 |
| v2026.1.12 | Security hardening: constant-time auth, command injection fix, memory leak fixes, MCP SDK 1.26.0 |
| v2026.1.11 | Notebook sync extraction for new Angular UI, NOTEBOOKLM_NO_GEMINI env var |
| v2026.1.10 | Tool description clarity for multi-LLM compatibility |
| v2026.1.9 | Documentation & UX improvements, npm audit fix |
| v2026.1.8 | Major dependency updates (zod 4.x, dotenv 17.x, post-quantum 0.5.4) |
| v2026.1.7 | MCP Protocol UX: tool icons, human-friendly titles, behavior annotations |
| v2026.1.4 | Defense-in-depth path validation, security hardening |
| v2026.1.1 | Deep health checks, chat history extraction, context management |
# Quick install
claude mcp add notebooklm -- npx @pan-sec/notebooklm-mcp@latestWhy Choose This MCP?
| Capability | Other MCPs | This MCP |
|---|---|---|
| Query NotebookLM | ✅ Basic | ✅ + session management, quotas |
| Create notebooks programmatically | ❌ | ✅ UNIQUE |
| Gemini Deep Research | ❌ | ✅ EXCLUSIVE |
| Document API (no browser) | ❌ | ✅ EXCLUSIVE |
| Post-quantum encryption | ❌ | ✅ Hybrid PQ at-rest |
| Enterprise compliance | ❌ | ✅ GDPR/SOC2/CSSF-ready |
| Video Overview generation | ❌ | ✅ NEW |
| Data Table extraction | ❌ | ✅ NEW |
| Chat history extraction | ❌ | ✅ |
| Deep health verification | ❌ | ✅ |
🔬 Security Audit 2026 — What We Found and Fixed
In April 2026, we commissioned a parallel deep-audit of v2026.2.11 (main @ 2973097) using four specialised AI code reviewers, each focused on a different attack surface: security vulnerabilities, protocol correctness, architecture quality, and testing gaps and edge cases. The four reviewers operated independently so their findings wouldn't influence each other. Together they produced a 334-item master issue list covering protocol correctness, security vulnerabilities, architecture flaws, test gaps, and documentation accuracy. All 334 issues are resolved across v2026.3.0 and v2026.3.1.
Audit by the Numbers
| Metric | Before (v2026.2.11) | After (v2026.3.1) |
|---|---|---|
| Tests | 139 | 631 across 50 files |
| Test suites | ~6 | 50 |
TypeScript errors (tsc --noEmit) | 0 | 0 (maintained) |
| npm audit vulnerabilities | 0 | 0 (maintained) |
| MCP protocol compliance | Partial | Full (structuredContent, isError, transport tags) |
| Audit log integrity | Basic | Hash-chain verified on read |
| Concurrent write safety | ❌ | ✅ Write-locked |
| Webhook SSRF | ❌ | ✅ Blocked |
What the Four Reviewers Found
Security reviewer: Identified the forceAuth bypass in validateToken() allowing unauthenticated access to filesystem tools; webhook SSRF via unvalidated delivery targets; audit log hash chain not verified on read; concurrent audit writes interleaving entries; auth token salt not persisted (tokens invalidated on restart).
Protocol reviewer: Found 38 tools returning incorrect response shapes (missing structuredContent, wrong isError semantics, transport tags leaking into content); all 48 tools had incorrect or missing readOnlyHint/idempotentHint/destructiveHint annotations; 9 tool schemas lacked numeric bounds, enabling out-of-range inputs.
Architecture reviewer: Flagged the 3,611-line handlers.ts as a maintenance liability; singleton imports throughout domain functions preventing unit testing; the 500-line switch/case dispatch adding O(n) overhead and making tool registration error-prone.
Testing & edge-case reviewer: Found test suite at 139 tests with minimal coverage of security-critical modules; mcp-auth.ts at near-zero coverage; no tests for prompt injection patterns, audit log tampering, or concurrent browser session state; the DSAR handler had an undetected race condition.
Key Fixes
- 17 security vulnerabilities addressed (auth bypass, SSRF, audit integrity, race conditions, selector injection vectors)
- MCP protocol fully compliant — all 48 tools return correct
structuredContent/isErrorshapes; annotations accurate; schema bounds enforced - Architecture decomposed —
handlers.tssplit into 9 domain modules with HandlerContext dependency injection; 100% unit-testable without process mocks - Test coverage — 15 new security-critical test suites including browser session, auth, prompt injection, audit log, webhook, DSAR, and compliance
- Claims aligned — certificate pinning removed (implementation was retracted in Day 1 of the audit); PQ encryption scope documented accurately; compliance language uses "controls implemented" not "certified"
Core NotebookLM (No API Key Required)
| Tool | Description |
|---|---|
ask_question | Query notebooks with source-grounded answers |
add_notebook | Add a notebook to your library |
list_notebooks | List all notebooks in library |
select_notebook | Set active notebook |
update_notebook | Update notebook metadata |
remove_notebook | Remove from library |
create_notebook | Programmatically create new notebooks |
batch_create_notebooks | Create multiple notebooks at once |
sync_library | Sync library with NotebookLM |
list_sources | List sources in a notebook |
add_source | Add source to notebook |
add_folder | Bulk upload PDFs/files from a local folder to a notebook |
remove_source | Remove source from notebook |
generate_audio_overview | Create podcast-style audio |
get_audio_status | Check audio generation status |
download_audio | Download generated audio |
generate_video_overview | Create AI video overview (10 styles) |
get_video_status | Check video generation status |
generate_data_table | Generate structured data table |
get_data_table | Extract data table as JSON |
list_sessions | List active sessions |
close_session | Close a session |
reset_session | Reset session history |
get_health | Check server & auth status |
setup_auth | Initial authentication |
re_auth | Re-authenticate |
cleanup_data | Clean up local data |
get_quota | Check usage quotas |
set_quota_tier | Set quota tier |
get_query_history | View past queries |
get_notebook_chat_history | Extract browser chat history |
get_project_info | Get projec |
…