Back to MCP Servers

Notebooklm Mcp Secure

Security-hardened NotebookLM MCP with post-quantum encryption (ML-KEM-768), GDPR/SOC2/CSSF compliance, and 14 security layers. Query Google's Gemini-grounded research from Claude and AI agents.

knowledge-memorygosecurityaiagent
By Pantheon-Security
6920Updated 4 weeks agoTypeScriptMIT

Installation

npx -y notebooklm-mcp-secure

Configuration

{
  "mcpServers": {
    "notebooklm-mcp-secure": {
      "command": "npx",
      "args": ["-y", "notebooklm-mcp-secure"]
    }
  }
}

How to use

  1. Run the installation command above (if needed)
  2. Open your Claude Code settings file (~/.claude/settings.json)
  3. Add the configuration to the mcpServers section
  4. Restart Claude Code to apply changes
<div align="center">

NotebookLM MCP Server (Security Hardened)

🏆 The World's Most Advanced NotebookLM MCP Server

Zero-hallucination answers • Gemini Deep Research • 17 Security Layers • Enterprise Compliance

npm CalVer TypeScript MCP Platform Security Post-Quantum Gemini Documents Notebooks Compliance Tests

What's New 2026Deep ResearchDocument APICreate NotebooksSecurityInstall

</div>

The only NotebookLM MCP with enterprise-grade security, post-quantum encryption, and full Gemini API integration.

Security-hardened fork of PleasePrompto/notebooklm-mcp • Maintained by Pantheon Security

⚡ TL;DR — What You Get

  • 🔍 Query your NotebookLM notebooks — source-grounded, zero-hallucination answers
  • 📚 Create & manage notebooks programmatically — no manual clicking
  • 🎙️ Generate audio overviews — podcast-style summaries of your docs
  • 🎬 Generate video overviews — AI video summaries with 10 visual styles NEW
  • 📊 Extract data tables — structured JSON from notebook sources NEW
  • 🔬 Gemini 3 + Deep Research — latest models with thinking control (optional API) NEW
  • 📄 Document API — upload & query PDFs without browser (optional API)
  • 🔐 17 security layers — post-quantum encryption, audit logs, secrets scanning
  • Compliance-ready architecture — built to GDPR, SOC2, and CSSF standards (controls implemented; formal certification requires third-party audit)
  • 💡 No API key required — core features work with just browser auth

🚀 What's New in 2026

Latest: v2026.3.1 — All 334 audit issues resolved. 631 tests. Full MCP protocol compliance.

VersionHighlights
v2026.3.1Security Audit Complete — All 334 issues from the independent audit resolved. Tests: 609 → 631. Code quality: URL resolution deduplicated, handler extraction, non-null assertions eliminated. Test gaps closed: validateNotebookId, error body shape, delete_document confirm guard, sanitized throws, log rotation, rate-limiter memory bound, range clamping.
v2026.3.0The Security Audit Release — Four parallel AI code reviews (security, protocol, architecture, testing) against 334 issues. All highs and mediums resolved. Tests: 139 → 609 across 50 files (4.4×). Full MCP protocol compliance: structuredContent, isError, transport tags. Schema bounds on all 48 tools. Annotation correctness. Webhook SSRF fix. Audit log integrity (hash chain, concurrent write lock, rotation continuity). Per-page mutex. HandlerContext DI. Cert pinning retracted (claims aligned with implementation).
v2026.2.10The Hardening Release — 3 new security layers (14→17): secure-by-default auth, exponential backoff lockout, credential isolation. Architecture overhaul: 3,611-line handler split into 9 domain modules, tool registry pattern. Gemini API retry with backoff. Multi-stage Docker build. Token CLI (token show/rotate). 168 tests.
v2026.2.9performSetup no longer wipes credentials before Chrome opens — prevents auth destruction on failed launch
v2026.2.8cleanup_data never deletes auth dirs (browser_state/, chrome_profile/) — auth survives all cleanup paths
v2026.2.7Block headless setup_auth calls; robust auth-now.mjs standalone script with Chrome profile lock handling
v2026.2.6New add_folder tool for bulk PDF/file uploads; improved tier detection for NotebookLM Plus
v2026.2.5Fix show_browser silently ignored in setup_auth — browser now reliably opens for auth
v2026.2.4Auth stability: 7-day state expiry, touchStateFile on validation, block headless re_auth
v2026.2.3Studio Panel tools restored: Video Overview, Data Table generation re-enabled
v2026.2.1Standard profile expanded: 14 → 33 tools — notebook creation, audio, source management now visible by default
v2026.2.0Gemini 3 models (2.5 retiring March 31), Video Overviews, Data Tables, thinking level, structured JSON, SDK 1.41
v2026.1.12Security hardening: constant-time auth, command injection fix, memory leak fixes, MCP SDK 1.26.0
v2026.1.11Notebook sync extraction for new Angular UI, NOTEBOOKLM_NO_GEMINI env var
v2026.1.10Tool description clarity for multi-LLM compatibility
v2026.1.9Documentation & UX improvements, npm audit fix
v2026.1.8Major dependency updates (zod 4.x, dotenv 17.x, post-quantum 0.5.4)
v2026.1.7MCP Protocol UX: tool icons, human-friendly titles, behavior annotations
v2026.1.4Defense-in-depth path validation, security hardening
v2026.1.1Deep health checks, chat history extraction, context management
# Quick install
claude mcp add notebooklm -- npx @pan-sec/notebooklm-mcp@latest

Why Choose This MCP?

CapabilityOther MCPsThis MCP
Query NotebookLM✅ Basic+ session management, quotas
Create notebooks programmaticallyUNIQUE
Gemini Deep ResearchEXCLUSIVE
Document API (no browser)EXCLUSIVE
Post-quantum encryptionHybrid PQ at-rest
Enterprise complianceGDPR/SOC2/CSSF-ready
Video Overview generationNEW
Data Table extractionNEW
Chat history extraction
Deep health verification

🔬 Security Audit 2026 — What We Found and Fixed

In April 2026, we commissioned a parallel deep-audit of v2026.2.11 (main @ 2973097) using four specialised AI code reviewers, each focused on a different attack surface: security vulnerabilities, protocol correctness, architecture quality, and testing gaps and edge cases. The four reviewers operated independently so their findings wouldn't influence each other. Together they produced a 334-item master issue list covering protocol correctness, security vulnerabilities, architecture flaws, test gaps, and documentation accuracy. All 334 issues are resolved across v2026.3.0 and v2026.3.1.

Audit by the Numbers

MetricBefore (v2026.2.11)After (v2026.3.1)
Tests139631 across 50 files
Test suites~650
TypeScript errors (tsc --noEmit)00 (maintained)
npm audit vulnerabilities00 (maintained)
MCP protocol compliancePartialFull (structuredContent, isError, transport tags)
Audit log integrityBasicHash-chain verified on read
Concurrent write safety✅ Write-locked
Webhook SSRF✅ Blocked

What the Four Reviewers Found

Security reviewer: Identified the forceAuth bypass in validateToken() allowing unauthenticated access to filesystem tools; webhook SSRF via unvalidated delivery targets; audit log hash chain not verified on read; concurrent audit writes interleaving entries; auth token salt not persisted (tokens invalidated on restart).

Protocol reviewer: Found 38 tools returning incorrect response shapes (missing structuredContent, wrong isError semantics, transport tags leaking into content); all 48 tools had incorrect or missing readOnlyHint/idempotentHint/destructiveHint annotations; 9 tool schemas lacked numeric bounds, enabling out-of-range inputs.

Architecture reviewer: Flagged the 3,611-line handlers.ts as a maintenance liability; singleton imports throughout domain functions preventing unit testing; the 500-line switch/case dispatch adding O(n) overhead and making tool registration error-prone.

Testing & edge-case reviewer: Found test suite at 139 tests with minimal coverage of security-critical modules; mcp-auth.ts at near-zero coverage; no tests for prompt injection patterns, audit log tampering, or concurrent browser session state; the DSAR handler had an undetected race condition.

Key Fixes

  • 17 security vulnerabilities addressed (auth bypass, SSRF, audit integrity, race conditions, selector injection vectors)
  • MCP protocol fully compliant — all 48 tools return correct structuredContent/isError shapes; annotations accurate; schema bounds enforced
  • Architecture decomposedhandlers.ts split into 9 domain modules with HandlerContext dependency injection; 100% unit-testable without process mocks
  • Test coverage — 15 new security-critical test suites including browser session, auth, prompt injection, audit log, webhook, DSAR, and compliance
  • Claims aligned — certificate pinning removed (implementation was retracted in Day 1 of the audit); PQ encryption scope documented accurately; compliance language uses "controls implemented" not "certified"
<details> <summary><b>📋 Full Feature List (48 Tools)</b></summary>

Core NotebookLM (No API Key Required)

ToolDescription
ask_questionQuery notebooks with source-grounded answers
add_notebookAdd a notebook to your library
list_notebooksList all notebooks in library
select_notebookSet active notebook
update_notebookUpdate notebook metadata
remove_notebookRemove from library
create_notebookProgrammatically create new notebooks
batch_create_notebooksCreate multiple notebooks at once
sync_librarySync library with NotebookLM
list_sourcesList sources in a notebook
add_sourceAdd source to notebook
add_folderBulk upload PDFs/files from a local folder to a notebook
remove_sourceRemove source from notebook
generate_audio_overviewCreate podcast-style audio
get_audio_statusCheck audio generation status
download_audioDownload generated audio
generate_video_overviewCreate AI video overview (10 styles)
get_video_statusCheck video generation status
generate_data_tableGenerate structured data table
get_data_tableExtract data table as JSON
list_sessionsList active sessions
close_sessionClose a session
reset_sessionReset session history
get_healthCheck server & auth status
setup_authInitial authentication
re_authRe-authenticate
cleanup_dataClean up local data
get_quotaCheck usage quotas
set_quota_tierSet quota tier
get_query_historyView past queries
get_notebook_chat_historyExtract browser chat history
get_project_infoGet projec

View source on GitHub