Back to plugin

Security audit

Notion Workspace

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Notion/AISA workspace skill, but its broad routing language and powerful read/write, trigger, and MCP capabilities need review before installation.

Install only if you intend to give this skill AISA-mediated access to a Notion workspace. Review the connected Notion permissions, share only the pages/databases needed, avoid using it for general web research, and require explicit approval before any write, trigger, webhook, or MCP-server action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (14)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The README describes a Notion workspace management skill, but its 'Use when' guidance expands into generic web search, research, source discovery, and content extraction. This scope mismatch can cause the agent to invoke the skill in situations unrelated to Notion, increasing the chance of inappropriate data access or side effects through an over-privileged integration.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The manifest advertises this skill for generic web search, research, source discovery, and content extraction, but the actual capability set is privileged Notion access with OAuth, page/database reads, writes, triggers, and MCP. This scope mismatch can cause an orchestrator or user to invoke the skill in situations where they expected passive information retrieval, leading to unintended access to private workspace data or unintended state-changing actions.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The usage guidance is broad enough that an orchestrator or user may select this skill for many loosely related tasks, not just explicit Notion operations. In a tool-using agent environment, overbroad routing language is dangerous because it can trigger unnecessary credentialed actions or expose workspace contents when a less-privileged capability would suffice.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README advertises create-page and insert-row capabilities but does not warn that the skill can modify user data. In context, this is risky because an agent may treat the skill as informational while it actually has write capabilities, leading to unintended changes to Notion pages or databases.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The skill's trigger conditions are overly broad and include generic web search and research tasks outside the documented Notion-only scope. In agent environments, broad routing cues can cause this skill to be selected unnecessarily, exposing Notion-connected credentials and workspace data paths when a lower-privilege search tool should have been used instead.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The example payload includes a real-looking email address in the `user_id` field without any warning about privacy implications or guidance to substitute a non-identifying value. In a documentation skill that users may copy verbatim, this can normalize transmitting personally identifying data to the external AISA service and lead to unnecessary disclosure of user information in logs, telemetry, or third-party systems.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This section explicitly supports broad workspace discovery via search and fetch operations across pages and databases, but provides no instruction to verify user authorization, minimize scope, or warn that results may expose sensitive internal content. In an agent skill, this increases the risk of over-collection and unintended disclosure because a user request like 'find docs' could cause enumeration of workspace data beyond what is necessary.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow documents full page markdown export, block retrieval, schema fetch, and database row queries without any privacy or least-privilege warnings. These operations can retrieve large volumes of sensitive text, metadata, and structured records, so an agent following this workflow could exfiltrate confidential workspace content in response to underspecified or malicious prompts.

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
### Insert row — **Confirm with user**

**Tool:** `NOTION_INSERT_ROW_DATABASE`

`properties` must be a **list** of objects (not a flat dict):
Confidence
83% confidence
Finding
Tool:*

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
### Insert from natural language

**Tool:** `NOTION_INSERT_ROW_FROM_NL`

Fallback to manual `properties` if tier returns error `1010`.
Confidence
92% confidence
Finding
Tool:*

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
### Update row properties

**Tool:** `NOTION_UPDATE_PAGE`

Rows are pages in Notion — use row `page_id` and same `properties` list format.
Confidence
86% confidence
Finding
Tool:*

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
## Create database (under a page)

**Tool:** `NOTION_CREATE_DATABASE`

- `parent_id` must be a **page_id**, not a database_id
- **Confirm with user**
Confidence
88% confidence
Finding
Tool:*

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
### From Notion URL

**Tool:** `NOTION_FETCH_ALL_BLOCK_CONTENTS` — pass `page_url` or `block_id`. Do not use database view URLs containing `?v=`.

---
Confidence
79% confidence
Finding
Tool:*

Tool Parameter Abuse

High
Category
Tool Misuse
Content
Active list: `GET /trigger_instances/active`  
Enable/disable: `PATCH /trigger_instances/manage/{triggerId}`  
Delete: `DELETE /trigger_instances/manage/{triggerId}`

---
Confidence
24% confidence
Finding
DELETE /trigger_instances/manage/{triggerId}`

VirusTotal

61/61 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.