ClawHub

Notion Mvp

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Notion task helper that uses a Notion token to create and query tasks in configured databases, with no evidence of hidden exfiltration or persistence.

Install only if you are comfortable giving the agent a Notion integration token. Share that Notion integration only with the task databases you intend to use, keep NOTION_DATABASE_MAP limited, and avoid capturing secrets or highly sensitive information as task text.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill exposes shell and environment-variable capabilities but does not declare permissions, which weakens transparency and policy enforcement around a token-bearing integration. Because it uses `NOTION_TOKEN` and a shell wrapper, an agent or reviewer may underestimate the skill's ability to access secrets and invoke external commands.

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The manifest says the skill is for a single task database, but the documentation describes broader behavior including alias-based access to multiple databases and extra query functionality. This mismatch can mislead operators and users about the scope of accessible data, increasing the chance of cross-database data exposure or use beyond intended task capture.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
Claiming single-database operation while implementing alias-based access to multiple Notion databases expands the trust boundary without clear disclosure. In practice, a user may invoke a seemingly narrow task skill that can read from or write to other organizational databases configured in the alias map.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata says it operates on a single Notion database, but the implementation resolves arbitrary aliases from NOTION_DATABASE_MAP and can enumerate them. This creates a scope mismatch: an agent or user may believe actions are confined to one database while the code can access multiple configured databases, increasing the chance of unintended data access or modification.

Description-Behavior Mismatch

Low
Confidence
90% confidence
Finding
The advertised functionality is limited to adding tasks and listing today's tasks, but the script also supports free-text search and retrieval of the next upcoming item. Hidden capabilities expand data access beyond the declared use case, which can cause over-privileged use by an agent or expose more information than users expect.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill omits a warning that user-provided task content is sent to the external Notion API, which can cause inadvertent disclosure of sensitive personal or business information. This is especially relevant because chat-captured todos often include names, locations, schedules, or other private context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal