Back to skill

Security audit

Morning Briefing

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a legitimate morning briefing helper, but it needs review because it uses a local Notion API key and may store private briefing data without clear user-facing controls.

Review before installing. Use a Notion token scoped only to the intended tasks database, confirm whether vault_add_note writes briefing content and where, and avoid broad invocations if you do not want reminders and Notion tasks accessed automatically.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script retrieves tasks from Notion by making a third-party API call and loading a local API key from disk, but the skill metadata provides no declared purpose, disclosure, or consent boundary for this network access. In an agent skill context, undisclosed external retrieval broadens the trust boundary and can expose user task metadata to remote services without clear user awareness.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The README advertises very broad natural-language invocations like "Morning briefing" and "Daily report" without clear trigger constraints, making accidental or overly broad activation more likely. Because the trigger chains multiple actions (remindctl today, Notion query, and vault_add_note), an unintended invocation could cause data retrieval and note creation across integrated systems.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script reads a sensitive Notion API key from ~/.config/notion/api_key and immediately uses it in an outbound HTTP request, without any user-facing warning or confirmation. While this is normal for a legitimate integration, in a skill setting it creates a secret-handling and data-transmission risk because the user may not realize local credentials are being consumed to access external data.

External Transmission

Medium
Category
Data Exfiltration
Content
#!/bin/bash\nset -e\n\ndate=${1:-$(date +%Y-%m-%d)}\nnotion_db=${NOTION_TASKS_DB:-}\n\ncat << EOF\n📅 Morning Briefing for ${date}\n\n⏰ REMINDERS (Today)\nEOF\n\nremindctl today --plain | awk -F'\\t' '{print "  " substr(\$1,1,8) " - " \$5}' || echo "  No reminders"\n\necho\n\necho 📝 NOTION TASKS\necho\n\nif [ -n "$notion_db" ]; then\n  NOTION_KEY=\\$(cat ~/.config/notion/api_key)\n  curl -s -X POST "https://api.notion.com/v1/databases/$notion_db/query" \\\n    -H "Authorization: Bearer \\$NOTION_KEY" \\\n    -H "Notion-Version: 2022-06-28" \\\n    -H "Content-Type: application/json" \\\n    -d '{\"filter\": {\"property\": \"Status\", \"select\": {\"does_not_equal\": \"Done\"}}}' | \\\n  jq -r '.results[] | \"  [ ] \" + (.properties.Name.title[0].plain_text // "Untitled")'\nelse\n  echo "  Set NOTION_TASKS_DB env or specify DB ID"\nfi\n\n# Output to stdout for Clawdbot to capture/use\n
Confidence
86% confidence
Finding
curl -s -X POST "https://api.notion.com/v1/databases/$notion_db/query" \\\n -H "Authorization: Bearer \\$NOTION_KEY" \\\n -H "Notion-Version: 2022-06-28" \\\n -H

External Transmission

Medium
Category
Data Exfiltration
Content
#!/bin/bash\nset -e\n\ndate=${1:-$(date +%Y-%m-%d)}\nnotion_db=${NOTION_TASKS_DB:-}\n\ncat << EOF\n📅 Morning Briefing for ${date}\n\n⏰ REMINDERS (Today)\nEOF\n\nremindctl today --plain | awk -F'\\t' '{print "  " substr(\$1,1,8) " - " \$5}' || echo "  No reminders"\n\necho\n\necho 📝 NOTION TASKS\necho\n\nif [ -n "$notion_db" ]; then\n  NOTION_KEY=\\$(cat ~/.config/notion/api_key)\n  curl -s -X POST "https://api.notion.com/v1/databases/$notion_db/query" \\\n    -H "Authorization: Bearer \\$NOTION_KEY" \\\n    -H "Notion-Version: 2022-06-28" \\\n    -H "Content-Type: application/json" \\\n    -d '{\"filter\": {\"property\": \"Status\", \"select\": {\"does_not_equal\": \"Done\"}}}' | \\\n  jq -r '.results[] | \"  [ ] \" + (.properties.Name.title[0].plain_text // "Untitled")'\nelse\n  echo "  Set NOTION_TASKS_DB env or specify DB ID"\nfi\n\n# Output to stdout for Clawdbot to capture/use\n
Confidence
86% confidence
Finding
https://api.notion.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.