Security audit

Notion IM Helper

Security checks across malware telemetry and agentic risk

Overview

This Notion helper mostly matches its purpose, but it can save, search, upload, and delete Notion content more broadly than its append-only description suggests.

Review before installing. Use a dedicated Notion integration restricted to the intended page, prefer explicit command prefixes, avoid local file paths unless you mean to upload those files to Notion, and treat undo as destructive because it can delete page content without confirmation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (21)

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: Describing the skill as append-only while also supporting an undo command that deletes blocks is a material contradiction. A caller or user may rely on the append-only guarantee when deciding to use the skill, making accidental or unauthorized deletion more likely because the capability is not honestly represented.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The documentation instructs that existing Notion blocks are never modified or deleted, yet elsewhere defines undo behavior that deletes blocks and caption append behavior that modifies existing content structure. This inconsistency is dangerous because it misleads operators about the safety properties of the skill and can result in unexpected destructive or state-changing operations on stored data.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The manifest claims the skill is an append-only helper for adding IM messages to a single Notion page, but the trigger set exposes materially broader behaviors such as search, undo, monthly reports, image handling, and completion flows. This mismatch can cause users or orchestrators to invoke capabilities they did not consent to, increasing the chance of unintended data access, retrieval, or state-changing operations beyond simple appends.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The skill claims to be append-only to a single Notion page, but this function can delete previously created content, including entire recent batches. That mismatch is security-relevant because users and orchestrators may grant trust and permissions based on the narrower append-only behavior, while the implementation can perform destructive modification of existing data.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The manifest says data is appended to a single Notion page, but append_to_block accepts an arbitrary block_id and can write anywhere the integration has access. This broadens the tool's effective write scope beyond what users would expect from the declared behavior, enabling unintended modification of other content structures.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The skill is described as syncing IM messages, but this helper can upload arbitrary local files by path to Notion. That creates a broader exfiltration channel than the stated purpose, and if other components can influence file_path, sensitive local files could be sent to an external service unintentionally.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill advertises append-only IM-to-Notion syncing, but it also exposes an undo path that deletes the last Notion block via delete_last_block(). That creates destructive capability beyond the stated scope, enabling accidental or unauthorized data loss if the command is invoked by an agent, user, or prompt-influenced workflow that assumes the integration is non-destructive.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: A delete operation is not justified by the declared purpose of syncing IM messages to a single Notion page, especially when the description emphasizes append-only behavior. This mismatch increases the risk that orchestrators, users, or security reviewers will trust the tool more than they should, leading to unexpected deletion of synced content.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The script adds a Notion search capability that is broader than the skill metadata's stated append-only, single-page sync behavior. This expands the accessible data surface from writing to one page into reading across accessible Notion content, which can expose unrelated workspace data and violates least-privilege expectations.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The script paginates through all blocks on the configured Notion page and repurposes historical content for summaries and random quotes, rather than limiting processing to newly synced IM messages or a clearly scoped subset. In this skill context, that broad collection and re-disclosure of page contents increases privacy risk because unrelated notes, diary entries, ideas, and excerpts can be surfaced to an LLM or end user without clear consent or data minimization.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The smart-detection fallback classifies any unmatched message as an idea, which can cause unintended persistence of arbitrary user chat content to Notion. In an IM-integrated append-only skill, this increases the risk of accidental data exfiltration, privacy leakage, and noisy writes from ordinary conversation that was never meant to be stored.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: Single-letter triggers like `d `, `n `, `t `, `i `, `q `, `l `, and `p ` are highly collision-prone in normal chat and can accidentally activate storage actions. Because the skill immediately maps these prefixes to content types and then executes writes, benign conversation can be misinterpreted and synced to Notion without clear user intent.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The `撤回` / `undo` command performs deletion of the last block batch within a time window, but the skill description does not prominently warn users that a natural-language command can trigger a destructive action. In a chat setting, terse commands are easy to invoke accidentally or through social engineering, leading to unintended data loss.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: Broad smart-detection rules that infer activation from vague content such as a URL, a date, checkbox-like text, or a default fallback to 'idea' increase the chance of the skill triggering without clear user intent. In a tool that writes data to an external service, ambiguous activation can cause unintended transmission of private content to Notion.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: Type inference based on generic words like 'notion' or '同步' is overly broad and can cause activation from casual conversation rather than a deliberate save command. Because the skill performs networked writes and may upload files, accidental invocation can expose sensitive text or local content to Notion without meaningful user consent.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill collects a Notion API token and transmits message content to Notion, but the documentation does not give a user-facing privacy warning about external data transfer, retention, or scope of access. This can lead users to share sensitive messages under the mistaken assumption that processing is local or minimally scoped.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The image upload feature supports local file paths and uploads those files to Notion servers, but the documentation does not prominently warn users that local files leave the device. In practice, a user may provide a path thinking it is only referenced locally, resulting in unintended exfiltration of sensitive images or documents mislabeled with image extensions.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The phrase indicating activation when a message 'contains record intent' is vague and subjective, which enables over-broad triggering on ordinary conversations. In a messaging context, that can silently capture and sync private content to Notion without clear user intent, creating confidentiality and data governance risks.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: Several keywords are common everyday words such as 'todo', 'idea', 'question', 'search', 'undo', and 'notion', which are likely to appear in normal chat unrelated to this skill. Broad keyword matching in an IM environment raises the risk of accidental activation, leading to unintended exfiltration of chat content into Notion or unexpected operational actions.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: Some prefix patterns are too generic for chat contexts, including forms like '^今天:', '^月报', '^monthly', '^撤回', '^undo', '^search:', and '^今日', which can match ordinary human messages rather than deliberate tool commands. Because this skill writes to an external system, such collisions can cause unauthorized or accidental persistence of sensitive conversational data and trigger unexpected workflows.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The undo command directly performs deletion with no confirmation, warning, or explanatory output in this file, making accidental destructive use more likely. In an agent setting, a mistaken tool invocation or prompt manipulation could silently remove the most recent record, reducing integrity and user trust.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.