ClawHub

Pub Notion

Security checks across malware telemetry and agentic risk

Overview

This Notion-branded skill is actually a broad SkillBoss API gateway that can process data through third-party models and perform outbound email/SMS actions.

Install only if you intentionally want a broad SkillBoss API gateway, not a narrow Notion tool. Use a restricted key and spending limits where possible, avoid sending sensitive documents or private URLs unless you accept the provider data flow, and require explicit review before any email, SMS, scraping, or document-processing action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill is materially mislabeled: its manifest and description present it as a Notion integration, but the body exposes a broad third-party multi-model platform with unrelated capabilities such as email, SMS, scraping, and media generation. This deception can cause users or higher-level agents to invoke the skill under false assumptions about scope, trust boundaries, and data handling, increasing the chance of unintended data exfiltration or outbound actions.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The email sending and SMS verification features are unrelated to the stated Notion purpose and enable real-world outbound actions using external services. In a mislabeled skill, these hidden communication capabilities are especially risky because they could be used for spam, unwanted contact, OTP workflows, or social engineering without users expecting that the skill can message third parties.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The file advertises capabilities far beyond the stated Notion-focused purpose, including document parsing, email, SMS, embeddings, and presentation generation. This kind of scope mismatch is dangerous because it hides materially different actions and data flows from reviewers and users, increasing the risk of unexpected data exfiltration, messaging abuse, or unauthorized secondary use of content.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Email and SMS tools enable outbound communications that are unrelated to core Notion page/database management and can be abused for spam, phishing, OTP interception workflows, or covert exfiltration channels. In a skill presented as Notion-centric, these capabilities are more dangerous because users and reviewers may not expect or scrutinize messaging behavior.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Embeddings and presentation-generation capabilities are outside the narrow Notion API scope and introduce additional processing paths for user content. These features can enable silent repurposing of workspace data for indexing, inference, or external content generation without clear user expectation, expanding the attack surface and privacy risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill routes prompts, documents, audio, images, and other user content to an external API aggregator and multiple downstream providers, but it does not warn users about that transfer or describe privacy implications. This omission undermines informed consent and can lead to sensitive data being sent to third parties unexpectedly.

Missing User Warnings

High
Confidence
98% confidence
Finding
The email and SMS examples involve sending messages and processing phone numbers/OTP codes, but the skill provides no warning that these are real-world actions affecting external recipients and personal data. Users or orchestrating agents may trigger messaging or verification flows without understanding consent, compliance, or privacy consequences.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal