ClawHub

Notion Sync Obsidian

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Notion-to-Obsidian sync skill, but users should protect their Notion token and understand it can run a background sync that writes local notes.

Install only if you are comfortable giving a Notion integration access to the pages or databases you connect. Use a narrowly scoped Notion integration, keep config.json private and out of version control, avoid sharing logs or terminal output, test with a dedicated Obsidian subfolder first, and start the timer only when you want ongoing background sync.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises capabilities consistent with reading/writing local files, making network requests, and executing shell scripts, but the manifest does not declare permissions. This creates a transparency and governance gap: users and platforms cannot accurately assess or gate the skill's access before use, increasing the risk of unintended file modification, credential exposure, or command execution.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The configuration explicitly enables shell fallback and automatic dependency installation, which expands the execution surface beyond simple Notion-to-Obsidian synchronization. If the surrounding skill invokes shell commands or installs packages dynamically, an attacker who can influence inputs, environment, or package sources could trigger command execution or unsafe package installation on the host.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script prints the first 10 characters of the Notion API key to the console. Even partial secret disclosure is unnecessary for the feature's purpose and can leak into terminal scrollback, logs, screenshots, CI output, or shared support transcripts, making credential exposure more likely.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script is presented as a simplified connectivity/basic-function checker, but it performs a persistent write into the user's Obsidian vault by creating a markdown file. This mismatch creates an unexpected side effect in a directory that may be synced, indexed, or trusted by other tooling, increasing the risk of unwanted data creation and user deception.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The inline description claims the script only performs simplified API/basic-function checks, but the implementation creates directories and exports a markdown file. Hidden persistence is dangerous because users may run a diagnostic script expecting read-only behavior, while it actually modifies local content in a synced knowledge base.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The installation guide instructs users to place a live Notion API key into a local config file, but it does not warn that the key is a sensitive credential that must not be committed, shared, or exposed in logs and screenshots. This increases the likelihood of accidental credential leakage, which could allow unauthorized access to the user's Notion workspace via the integration.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The document directs users to run scripts that authenticate to Notion and write synchronized content into a local Obsidian vault, but it does not clearly describe the security implications of transmitting account data to an external API or writing remote content into local files. Without warnings, users may run the tool against sensitive workspaces or vault paths without understanding privacy, overwrite, and content-trust risks.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README advertises automatic synchronization from Notion to a local Obsidian vault, but it does not prominently disclose the security-relevant behavior that the skill will periodically contact the Notion API and write exported content onto the local filesystem. In an agent/skill ecosystem, insufficient notice about network access and file-writing behavior can lead users to authorize a capability without understanding the resulting data exposure or modification of local notes.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation describes scheduled synchronization and export into a local Obsidian directory, but it does not clearly warn that files will be created or updated automatically over time. In context, this is more dangerous because the skill is explicitly designed for recurring unattended writes, so users may enable it without understanding that local notes can be modified on a timer.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs users to place a Notion API key in configuration and sync workspace content locally, but it lacks clear guidance on secret handling, storage security, and the sensitivity of exported data. This raises the chance of credential leakage through config files, logs, backups, or repository commits, and can also lead to unintentional local replication of private workspace information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide explicitly recommends placing the Notion API token in config.json and does not warn users to protect that file, exclude it from version control, or prefer environment variables or a separate secrets store. This can lead to accidental secret exposure through git commits, backups, shared vaults, or local file disclosure, which would allow unauthorized access to the connected Notion workspace content.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The testing and sync commands instruct users to run scripts that may make outbound API requests and write files into the local Obsidian vault, but the document does not clearly disclose those side effects. Users may execute them without realizing they will contact external services or modify local data, increasing the chance of unintended data sync, overwrites, or privacy exposure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This debug script retrieves Notion page metadata and content snippets from a live workspace and prints them to stdout without an explicit warning, consent step, or output redaction. In practice, this can expose sensitive document titles, URLs, text, and relationships in terminals, logs, CI output, or screen recordings, making it a real confidentiality risk even though the behavior appears intended for troubleshooting.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This is the same underlying issue as SDI-2: the script discloses part of the Notion bearer token to the user without operational need or warning. Because bearer tokens are authentication secrets, exposing any part of them increases the chance of accidental credential handling mistakes and secondary leakage.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal