Back to skill

Security audit

Notion MCP

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Notion integration that can read and modify workspace content through Maton, with powerful but purpose-aligned capabilities.

Install only if you trust Maton to broker access to your Notion workspace. Keep MATON_API_KEY secret, verify the intended workspace or Maton connection before use, and require explicit confirmation of the exact target and effect before approving page updates, schema changes, moves, comments, or trash operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The schema permits null values for page properties via `additionalProperties` including `null`, while the human-readable description says database page updates must provide a non-null value and omitted properties are left unchanged. This inconsistency can cause an agent to remove property values when it intended only to update them, leading to unintended data loss or policy bypass around destructive changes.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The schema advertises a destructive operation (in_trash=true) without guardrails such as explicit confirmation language, scope limitations, or examples showing when not to use it. In an agent setting, this increases the chance that a loosely phrased user request or prompt-injected content could cause unintended deletion-like actions against Notion data sources.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.