Notion co-worker

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it can read Gmail and Notion context, use past chat memory, and automatically post persistent Notion replies and pages with limited confirmation controls.

Install only if you want an agent that can act on your behalf in Gmail and Notion. Use it with confirmation before posting comments, creating pages, or changing email state; limit how many notifications it handles at once; and avoid allowing prior chat memory or sensitive private context to be written into shared Notion pages.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The skill says Gmail modification tools are not available and instructs the user to manually manage processed emails, but then immediately directs the agent to apply a label, mark messages as read, and archive them. This contradiction can cause unsafe assumptions about tool capability, inconsistent execution paths, or failed post-processing that leaves sensitive notification emails mishandled or repeatedly reprocessed.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger rules are overly broad, including vague phrases like 'check my mentions' or 'any new comments?' and even allowing activation based on prior use without explicit current confirmation. In this skill, activation grants access to Gmail, conversation history, Notion data, optional web search, and autonomous posting, so an accidental trigger can cause unintended cross-system data access and actions on the user's behalf.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill description does not clearly warn that it will autonomously access Gmail notifications, mine prior conversations and memory, inspect the Notion workspace, optionally use web sources, post replies in Notion, and create subpages. Because the skill performs broad data access and external side effects, lack of up-front disclosure undermines informed consent and increases the risk of users unknowingly authorizing sensitive operations.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The research subpage explicitly instructs the agent to include information pulled from memory and past conversations in a Notion artifact visible to others in the workspace. That creates a clear data-minimization and privacy boundary failure: private user-provided context from prior chats may be copied into a collaborative system even when it is unnecessary to answer the mention.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal