Morning Briefing

Security checks across malware telemetry and agentic risk

Overview

This daily briefing skill appears legitimate, but it needs review because it under-discloses local Notion credential use and possible persistent vault storage of private planning data.

Review this before installing. Use a Notion token limited to the single tasks database, confirm whether the skill writes briefing content into a vault, and avoid generic invocations if you do not want reminders and Notion tasks accessed automatically.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The script reads a local Notion API key from disk and performs an authenticated external request, which creates credential-access and network-exfiltration behavior inside a helper script. While this appears functionally related to fetching Notion tasks for a morning briefing, it is still risky because the script provides no consent prompt, validation, or minimization controls around use of the credential and transmission of workspace data.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The README describes broad example invocations like "Morning briefing" and a trigger chain of "remindctl today + Notion query + vault_add_note" without defining clear activation boundaries, required confirmation, or limits on what data sources and write actions are allowed. This ambiguity can cause the skill to run on overly generic prompts and perform unintended data retrieval or note-writing actions, increasing the chance of privacy leakage or unauthorized side effects.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The skill description includes broad trigger phrases like "morning briefing," "daily summary," and especially "today's plan," which are common everyday requests and can cause the skill to be invoked unintentionally. Because the skill accesses reminders, Notion tasks, and vault storage, accidental activation could expose personal data or cause the wrong tool to run in place of a more appropriate assistant behavior.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script silently loads a Notion API token from ~/.config/notion/api_key and sends it as a bearer token in an outbound HTTP request. Even if intended for legitimate task retrieval, this is dangerous in an agent skill because users may not realize the skill is accessing local credentials and remote services, and compromise or misuse of the script could expose workspace data.

External Transmission

Medium

Category: Data Exfiltration
Content: #!/bin/bash\nset -e\n\ndate=${1:-$(date +%Y-%m-%d)}\nnotion_db=${NOTION_TASKS_DB:-}\n\ncat << EOF\n📅 Morning Briefing for ${date}\n\n⏰ REMINDERS (Today)\nEOF\n\nremindctl today --plain | awk -F'\\t' '{print " " substr(\$1,1,8) " - " \$5}' || echo " No reminders"\n\necho\n\necho 📝 NOTION TASKS\necho\n\nif [ -n "$notion_db" ]; then\n NOTION_KEY=\\$(cat ~/.config/notion/api_key)\n curl -s -X POST "https://api.notion.com/v1/databases/$notion_db/query" \\\n -H "Authorization: Bearer \\$NOTION_KEY" \\\n -H "Notion-Version: 2022-06-28" \\\n -H "Content-Type: application/json" \\\n -d '{\"filter\": {\"property\": \"Status\", \"select\": {\"does_not_equal\": \"Done\"}}}' | \\\n jq -r '.results[] | \" [ ] \" + (.properties.Name.title[0].plain_text // "Untitled")'\nelse\n echo " Set NOTION_TASKS_DB env or specify DB ID"\nfi\n\n# Output to stdout for Clawdbot to capture/use\n
Confidence: 80% confidence
Finding: curl -s -X POST "https://api.notion.com/v1/databases/$notion_db/query" \\\n -H "Authorization: Bearer \\$NOTION_KEY" \\\n -H "Notion-Version: 2022-06-28" \\\n -H

External Transmission

Medium

Category: Data Exfiltration
Content: #!/bin/bash\nset -e\n\ndate=${1:-$(date +%Y-%m-%d)}\nnotion_db=${NOTION_TASKS_DB:-}\n\ncat << EOF\n📅 Morning Briefing for ${date}\n\n⏰ REMINDERS (Today)\nEOF\n\nremindctl today --plain | awk -F'\\t' '{print " " substr(\$1,1,8) " - " \$5}' || echo " No reminders"\n\necho\n\necho 📝 NOTION TASKS\necho\n\nif [ -n "$notion_db" ]; then\n NOTION_KEY=\\$(cat ~/.config/notion/api_key)\n curl -s -X POST "https://api.notion.com/v1/databases/$notion_db/query" \\\n -H "Authorization: Bearer \\$NOTION_KEY" \\\n -H "Notion-Version: 2022-06-28" \\\n -H "Content-Type: application/json" \\\n -d '{\"filter\": {\"property\": \"Status\", \"select\": {\"does_not_equal\": \"Done\"}}}' | \\\n jq -r '.results[] | \" [ ] \" + (.properties.Name.title[0].plain_text // "Untitled")'\nelse\n echo " Set NOTION_TASKS_DB env or specify DB ID"\nfi\n\n# Output to stdout for Clawdbot to capture/use\n
Confidence: 80% confidence
Finding: https://api.notion.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal