MH notion

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Notion API helper, but users should protect the Notion token because the examples store it locally and can modify shared Notion content.

Use a dedicated Notion integration, share only the specific pages or databases it needs, store the token in an environment variable or secret manager when possible, and if using the documented file, restrict its permissions and avoid syncing or committing it. Review POST and PATCH examples before running them because they can create or change Notion workspace content.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Rogue AgentSelf-Modification, Session Persistence
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The setup instructions direct users to persist a sensitive Notion API key in a plaintext file under the home directory without any warning about file permissions, secure storage, shell history exposure, or multi-user host risks. While common in simple CLI examples, this creates unnecessary credential exposure risk if the workstation is shared, backed up insecurely, or later accessed by other local processes.

Session Persistence

Medium

Category: Rogue Agent
Content: ## Setup 1. Create an integration at https://notion.so/my-integrations 2. Copy the API key (starts with `ntn_` or `secret_`) 3. Store it:
Confidence: 85% confidence
Finding: Create an integration at https://notion.so/my-integrations 2. Copy the API key (starts with `ntn_` or `secret_`) 3. Store it: ```bash mkdir -p ~/.config/notion echo "ntn_your_key_here" > ~/.config/no

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal