Notion Sync

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Notion sync skill, but it can upload local files to Notion and overwrite synced Notion page content if used broadly.

Install only if you intend to copy local files into Notion. Use a dedicated Notion root page, run `notion-sync sync --dry-run` first, add ignore rules for `.env`, keys, credentials, private notes, and proprietary files, and keep `.notion-sync.json` out of source control because it contains the Notion token.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (9)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README encourages syncing entire directories and file contents to Notion but does not prominently warn that this can upload sensitive source code, secrets, internal documents, or personal data to a third-party SaaS. In a workspace-sync tool, that omission materially increases the risk of accidental data exfiltration, especially because users may run it at project root and assume defaults are safe.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The setup example passes the Notion API token directly on the command line, which can leak via shell history, process listings, terminal logging, or CI job output. This is a well-known secret-handling risk, and documenting it without warning or a safer alternative can lead users to expose long-lived credentials unintentionally.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The README states that existing pages are updated in place by clearing and re-adding blocks, but it does not clearly frame this as a destructive overwrite risk. In the context of a synchronization tool targeting live Notion content, users may unintentionally erase or replace manually edited remote content, causing data loss or integrity issues.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly promotes syncing local directories and files to Notion but does not warn that file contents leave the local system and are transmitted to a third-party service. In a tool intended to operate on arbitrary workspace content, this omission can cause users to unintentionally expose proprietary code, secrets, or personal data.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The initialization example shows passing a Notion token directly on the command line without guidance on secure handling. Command-line secrets may be exposed through shell history, process listings, logs, or shared terminal recordings, increasing the chance of credential disclosure.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The config example documents storing the Notion access token in plaintext inside .notion-sync.json without any warning or compensating controls. Because this file lives in the workspace, it can be accidentally committed, copied, or read by other local tools, leading to persistent credential compromise and unauthorized access to Notion content.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The code writes the entire configuration object to .notion-sync.json, which includes the Notion API token in plaintext. Persisting credentials to a workspace file without any warning, secure storage mechanism, or permission hardening increases the risk of accidental disclosure through source control, backups, shared directories, or local compromise.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: During initialization, the function constructs a config object containing the provided token and immediately saves it to disk, silently persisting sensitive credentials. In the context of a sync tool that operates in local workspaces, this is especially risky because the workspace may be collaborative or routinely committed, making accidental token leakage more likely.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This code reads arbitrary workspace files and uploads their full contents to Notion using the configured API token, but the function itself provides no consent gate, allowlist enforcement, or prominent disclosure before transmission. In a sync skill, exfiltrating local file contents to a third-party service is core functionality, but it is still security-relevant because misconfiguration, overly broad paths, or agent misuse could cause sensitive files to be sent unintentionally.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal