ClawHub

Notion Agent

Security checks across malware telemetry and agentic risk

Overview

This Notion skill appears useful and mostly transparent, but it needs review because it can modify or archive workspace content and its setup includes a risky remote install command.

Review before installing. Use a dedicated least-privilege Notion integration shared only with the pages or databases needed, keep NOTION_TOKEN out of logs and shell history, and require explicit user confirmation before archive/delete actions. Install uv through a trusted package manager or a verified installer rather than piping curl output directly to sh.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documentation indicates capabilities to read environment variables and perform network access, yet it declares no explicit permissions. This creates a transparency and governance gap: users or orchestrators may invoke a skill that can access a bearer token and send data to an external API without an upfront permission model. In an agent setting, undeclared env and network access materially increase the risk of unintended token use or data exfiltration.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The docs include a page delete/archive operation but do not warn users that it is destructive or explain whether recovery is possible. In an AI-agent context, omission of such guardrails can lead to accidental archival of important content through over-broad or mistaken commands. The danger is amplified because workspace content is often business-critical and deletions may be hard to notice immediately.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The setup instructions tell users to export a Notion integration token but do not include guidance on secure handling of that credential. Bearer tokens grant API access to shared Notion resources, so poor handling can expose workspace data or allow unauthorized modifications. Although common in setup docs, the missing warning is still a real security weakness.

External Script Fetching

Low
Category
Supply Chain
Content
1. Ensure `uv` is installed:
   ```bash
   curl -LsSf https://astral.sh/uv/install.sh | sh
   ```

2. Set your Notion integration token:
Confidence
94% confidence
Finding
curl -LsSf https://astral.sh/uv/install.sh | sh

Chaining Abuse

High
Category
Tool Misuse
Content
1. Ensure `uv` is installed:
   ```bash
   curl -LsSf https://astral.sh/uv/install.sh | sh
   ```

2. Set your Notion integration token:
Confidence
97% confidence
Finding
| sh

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal