ClawHub

Notion记账财务分析

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned, but it handles Notion tokens and private financial data with limited privacy guidance and writes a sensitive report to a fixed workspace path.

Review before installing. Use a dedicated Notion integration connected only to the specific accounting databases, avoid pasting tokens into shared chats or shell history, confirm the exact data_source_id values before running, and protect or delete the generated /workspace finance report if it contains personal financial information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Missing User Warnings

High
Confidence
94% confidence
Finding
The skill asks users to provide a Notion Integration Token and advertises automatic full-database retrieval, but the README does not clearly warn about the scope of data access, sensitivity of the token, retention/logging risks, or least-privilege setup. In a financial-analysis context, this is dangerous because the token may expose complete personal or household accounting records, and users may grant broader workspace access than necessary.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are very broad and map to common user intents like analyzing finances or generating reports, so the skill could activate unexpectedly in situations where the user did not intend to provide or use sensitive Notion data. In this context, unintended activation is more dangerous because the skill expects high-sensitivity credentials and may proceed to query external APIs and write outputs to disk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly states it will write a generated Markdown report to /workspace/ but does not clearly warn the user about this file-system side effect or obtain consent. With financial/accounting data, this can leave sensitive summaries on disk where they may persist longer than expected or be accessed by other processes in the environment.

External Transmission

Medium
Category
Data Exfiltration
Content
用户未提供 data_source_id 时,用搜索接口查找:

```bash
curl -s -X POST "https://api.notion.com/v1/search" \
  -H "Authorization: Bearer $NOTION_API_TOKEN" \
  -H "Notion-Version: 2025-09-03" \
  -d '{"query": "支出", "page_size": 20}' \
Confidence
87% confidence
Finding
curl -s -X POST "https://api.notion.com/v1/search" \ -H "Authorization: Bearer $NOTION_API_TOKEN" \ -H "Notion-Version: 2025-09-03" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
用户未提供 data_source_id 时,用搜索接口查找:

```bash
curl -s -X POST "https://api.notion.com/v1/search" \
  -H "Authorization: Bearer $NOTION_API_TOKEN" \
  -H "Notion-Version: 2025-09-03" \
  -d '{"query": "支出", "page_size": 20}' \
Confidence
87% confidence
Finding
https://api.notion.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal