Convert Notion HTML exports to interactive mind maps

Security checks across malware telemetry and agentic risk

Overview

This skill coherently converts a user-provided Notion HTML export into local mind map files without hidden credential use, background activity, or automatic data transfer.

Install this only if you are comfortable processing Notion exports locally. The generated JSON and HTML can contain page titles and Notion page links from the export, so treat the output as potentially sensitive and share it only with intended recipients.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill instructs the agent to read a user-supplied HTML file and generate new output files, which are file read/write capabilities, but it declares no permissions. This mismatch weakens permission transparency and can lead to the skill being invoked without users or the platform clearly understanding that local file access and file generation will occur.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The invocation text includes broad triggers such as mentions of '思维导图', 'mindmap', or general requests to visualize Notion page structure, which can overlap with ordinary user requests and cause unintended activation. Over-broad routing increases the chance the skill processes files or generates outputs in contexts where the user did not explicitly request this transformation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal