ClawHub

Vibe Notion

Security checks across malware telemetry and agentic risk

Overview

This Notion skill is clearly about Notion automation, but it needs Review because it uses the user's desktop session token and can perform broad or bulk workspace changes without strong confirmation boundaries.

Install only if you are comfortable letting an npm-installed CLI use your Notion desktop session and act as you in accessible workspaces. Prefer the official Notion integration for sensitive workspaces, review all write/delete/batch operations before execution, do not blindly follow $hints fixes, and remove ~/.config/vibe-notion/credentials.json and MEMORY.md when you stop using it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill directs the agent to prefer the unofficial private-API CLI whenever the Notion desktop app is present, which broadens use of a credential-extracting path without requiring explicit user confirmation or a least-privilege check. In context, this increases the chance that an agent will choose a more invasive authentication mechanism and operate with full user identity when a safer official API option may exist.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs persistent cross-session storage of workspace IDs, page IDs, database IDs, aliases, relationships, and user preferences in a local memory file, but the skill description does not foreground this data retention or require consent. Even though it warns not to store tokens or full content, the retained metadata can still reveal organizational structure and sensitive workspace context over time.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples explicitly demonstrate `page update --replace-content`, which can overwrite all existing page content. In an agent skill, showing destructive operations without an adjacent warning or confirmation pattern increases the chance an LLM or user will apply the command to the wrong page or run it without understanding the data-loss risk.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The batch examples encourage multiple write operations in one call, which can amplify mistakes by applying unintended changes at scale. In a Notion automation context, this is more dangerous than a single write because an incorrect database ID, row ID, or property mapping can modify many records quickly without highlighting rollback or confirmation guidance.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation tells an agent to read `$hints` from command output and automatically execute the suggested fix commands, including destructive operations like `database delete-property`, without requiring independent validation, user confirmation, or trust boundaries. Because `$hints` is untrusted content derived from external Notion data, this creates a prompt-injection style workflow where attacker-controlled workspace content can induce unintended state-changing actions and data loss.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal