Back to skill

Security audit

notion-clipper-skill

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Notion web clipper whose browser automation, Notion writes, and credential use are disclosed and aligned with its purpose, though users should treat login-mode captures and stored tokens as sensitive.

Install only if you are comfortable giving a Notion integration access to the target pages/databases and letting this skill automate a local Chrome session. Use a narrowly scoped Notion integration, protect ~/.config/notion/api_key, and be careful with --wait because logged-in page content and persistent browser sessions can include private data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly supports clipping login-required pages in wait mode, which can capture authenticated, paywalled, or otherwise private content from the user's browser session and upload it to Notion. Without a clear warning and consent checkpoint, users may unknowingly exfiltrate sensitive personal, corporate, or licensed content into another service.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The file enables Chrome remote debugging on a local TCP port and then connects over local HTTP/WebSocket to control the browser. Exposing CDP creates a powerful control channel over the browser profile; if another local process can discover or race to connect to that port, it may inspect pages, cookies, or drive authenticated browser actions, and the use of a persistent user-data directory increases the sensitivity of that access.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/cdp.ts:196

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/cdp.ts:126