ClawHub

Notion Template

Security checks across malware telemetry and agentic risk

Overview

This skill mainly generates Notion template Markdown and has no evidence of network exfiltration, credential use, destructive behavior, or privilege escalation, though one bundled helper script has under-disclosed local logging features.

Install only if you are comfortable running local bash scripts. Use scripts/notion.sh for the Notion template features, and avoid putting secrets or sensitive business data into scripts/script.sh because it can store local data and command history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill metadata and instructions present this as a Notion template generator, but the referenced behavior includes persistent local storage, logging arbitrary entries, search/export functions, and generic utility capabilities unrelated to template generation. That mismatch is dangerous because it can hide data collection or exfiltration-adjacent behavior behind an innocuous productivity description, reducing user scrutiny and informed consent.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The script’s behavior materially diverges from the declared skill purpose: instead of generating Notion templates, it implements a generic local logging and data-management CLI. This kind of capability mismatch is dangerous in an agent skill because users and orchestrators may grant trust or permissions based on the advertised purpose, while the code actually collects and persists arbitrary input locally.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The inline description labeling the tool as a 'Multi-purpose utility tool' contradicts the published skill description as a Notion template generator. In a security review context, deceptive or inconsistent descriptions reduce transparency and can conceal broader functionality than users expect, increasing the risk of misuse or unauthorized data handling.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger terms are extremely generic words like 'workspace', 'database', 'dashboard', 'wiki', 'project', and 'personal', which can appear in many unrelated conversations. In an agent setting, overly broad invocation terms can cause accidental activation and execution in contexts the user did not intend, especially when combined with shell commands or hidden extra functionality.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The logging helper writes user-supplied arguments to a persistent history file without any user-facing notice or consent. In the context of an agent skill, command arguments can contain sensitive prompts, identifiers, file names, or tokens, so silent persistence creates privacy and data-handling risk beyond what users would reasonably expect from a Notion template generator.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The add command stores arbitrary user input in a persistent local database file without warning. Because the surrounding skill context suggests template generation rather than local data retention, users may unknowingly place sensitive workspace or project information into a file on disk, creating confidentiality and retention risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal