ClawHub

Notion Publisher

Security checks across malware telemetry and agentic risk

Overview

This Notion publishing skill is mostly coherent, but it can replace existing Notion page content by default without a separate confirmation step.

Install only if you are comfortable granting a Notion integration read/update/insert access to the target workspace content. Before using updates, prefer append mode unless you intentionally want to replace the whole page body, and avoid external cover/image searches for confidential articles.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Tp4

High
Category
MCP Tool Poisoning
Confidence
86% confidence
Finding
The description frames the skill as publishing new articles, but the instructions also authorize searching databases, updating existing pages, and replacing content including deleting or archiving existing child blocks. That mismatch can cause users or orchestrators to invoke the skill with broader write authority than expected, increasing risk of unintended destructive modifications to existing Notion content.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger conditions are broad enough to match common requests about publishing or creating Notion content, which can cause over-invocation of a powerful skill that performs filesystem access, network calls, and remote writes. Over-broad activation raises the chance that the skill runs in contexts where the user intended a simpler drafting action, leading to accidental data transmission or unwanted page creation/updates.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The update command defaults to replace mode, which can delete all existing page blocks when new content is provided. In a CLI/agent context, this can cause unintended destructive writes to user content without an explicit confirmation step at the point of action.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
In replace mode, the code archives every existing child block of the target page before appending new content, with no direct user confirmation. If the wrong page ID is supplied or an agent misinterprets instructions, legitimate Notion page content can be irreversibly lost or significantly damaged.

External Transmission

Medium
Category
Data Exfiltration
Content
- Search the API for public-domain artworks with `image_id`, then build:
     `https://www.artic.edu/iiif/2/{image_id}/full/843,/0/default.jpg`
   - Good search query shape:
     `https://api.artic.edu/api/v1/artworks/search?q={keywords}&query[term][is_public_domain]=true&fields=id,title,artist_display,image_id,is_public_domain`
3. Alternate artwork sources:
   - The Met Open Access: use the object API's `primaryImage` or `primaryImageSmall` JPEG URL when `isPublicDomain` is true.
   - Rijksmuseum: use IIIF URLs like `https://iiif.micr.io/{id}/full/max/0/default.png` when an image id is available.
Confidence
78% confidence
Finding
https://api.artic.edu/

Session Persistence

Medium
Category
Rogue Agent
Content
To get a Notion token:
1. Open Notion's integrations/creator dashboard.
2. Create a new internal integration in the target workspace.
3. Open the integration's Configuration tab and copy the Internal Integration Secret.
4. Enable the capabilities needed for publishing, including read content, update content, and insert content.
5. Share the target Notion database or parent page with the integration through the Content access tab or Notion's Add connection menu.
Confidence
80% confidence
Finding
Create a new internal integration in the target workspace. 3. Open the integration's Configuration tab and copy the Internal Integration Secret. 4. Enable the capabilities needed for publishing, inclu

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal