ClawHub

Notion Diary

Security checks across malware telemetry and agentic risk

Overview

This skill matches its Notion diary purpose, but it can replace existing Notion page contents without a clear warning or recovery step.

Install only if you are comfortable giving this skill a Notion integration token and letting it create or update diary/report pages. Use a dedicated Notion integration shared only with the intended diary page or database, review generated entries before syncing, and be careful when syncing the same date again because existing page body content may be replaced.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares no explicit permissions while instructing use of environment variables, reading local files, and making networked API calls to Notion. That mismatch can bypass user/operator expectations and weakens security review, because a seemingly low-privilege skill can still access secrets and exfiltrate diary content to an external service.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script can create a new Notion database under a supplied parent page when no database or data source ID is provided, which expands its write scope beyond merely syncing into a pre-approved destination. In a skill context, this can unexpectedly modify a user's workspace structure and create persistent objects the user did not explicitly authorize for that specific run.

Description-Behavior Mismatch

Low
Confidence
88% confidence
Finding
When updating an existing page, the script deletes all existing child blocks and rewrites them from scratch. If the target page contains any manually added content, comments-as-blocks, or prior data outside the generated diary body, that content can be irreversibly lost.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The update path performs a destructive delete of all existing child blocks before appending replacement content, but there is no user-visible warning or safeguard around that operation. In a diary skill, users may assume sync is additive or field-based, making accidental data loss more likely.

Ssd 3

Medium
Confidence
92% confidence
Finding
The 24-hour report workflow directs the agent to pull recent session history and convert it into a Notion entry, which can transfer private conversation content to a third-party service without sufficiently explicit, granular consent for each source session. This is especially risky because conversation history may contain sensitive data, credentials, health details, or unrelated context that the user did not intend to publish into a diary/report.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal