ClawHub

Notion Integration

Security checks across malware telemetry and agentic risk

Overview

This Notion helper uses a user-provided Notion token to read and modify shared Notion content, and that behavior is disclosed and aligned with its purpose.

Install only if you intend to let an agent access Notion resources shared with your Notion integration. Use a least-privilege integration, share only the needed pages or databases, keep NOTION_TOKEN out of logs and committed files, and review target IDs before running create or update commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill explicitly instructs users to set and use a sensitive environment variable (`NOTION_TOKEN`) but declares no permissions, creating a mismatch between documented capabilities and declared access. This can bypass expected consent and review flows, increasing the risk that secrets are accessed or used without adequate visibility.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The description is broadly phrased to activate for almost any request involving Notion, including create, update, delete, automation, syncing, and integrations. Overbroad routing increases the chance the skill is invoked in situations where a narrower or read-only tool would be safer, which can lead to unnecessary access to workspace data or unintended mutations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill advertises create, update, and delete capabilities for Notion pages and databases without any warning, confirmation requirement, or safety guidance around modifying workspace data. In the context of a live SaaS workspace, destructive operations can cause data loss, corruption, or unauthorized changes if the skill is triggered accidentally or used with overly broad tokens.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation tells users to export a Notion integration token and use it in examples, but it does not warn that this token is a sensitive secret granting API access to any shared Notion resources. In agent or automation contexts, examples that normalize raw secret handling can lead to accidental disclosure through shell history, logs, screenshots, copied commands, or unsafe reuse in broader execution environments.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script performs authenticated reads and writes against a user's Notion workspace but provides no user-facing disclosure, confirmation, or guardrails before modifying remote data. In an agent skill context, this increases the risk of silent data access or unintended changes because the token grants real API access and the operations are not limited to a dry-run or explicitly confirmed workflow.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal