Back to skill

Security audit

Notion Enhanced

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Notion integration that reads and writes only Notion content shared with its integration token, with ordinary credential and automation cautions.

Install only if you want an agent to read and modify Notion pages or databases you explicitly share with the Notion integration. Use a dedicated Notion integration, share the minimum pages needed, keep NOTION_TOKEN out of source control with restrictive local permissions, and require review before automation changes customer, project, or business records.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The documentation claims webhook sync support that can process incoming webhooks and update local memory files, which expands the trust boundary beyond the stated Notion read/write content operations. If implemented without strict validation and explicit user consent, this creates a path for external events to trigger local state changes or indirect prompt/data injection.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The example imports and relies on a generic exec interface rather than a narrowly scoped Notion API wrapper. Even if the current example only uses it to invoke a local Notion CLI, exposing shell-style execution in a Notion skill broadens the effective capability surface and can enable unintended command execution if reused with variable input or copied into production workflows.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The script builds a shell command via string interpolation and passes JSON and title data directly into it. While the hardcoded sample data is benign, this pattern becomes dangerous as soon as titles, notes, database IDs, or research findings come from external or semi-trusted sources, because shell metacharacters or quoting breaks can lead to arbitrary command execution under the agent's privileges.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill prominently documents create and update operations against remote Notion pages/databases but does not clearly warn that these commands modify live user workspace data. In agentic contexts, missing write-safety warnings increases the risk of unintended destructive or privacy-impacting changes if an agent executes examples automatically or on ambiguous user intent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The webhook sync section describes automatic synchronization from external Notion changes into OpenClaw memory files without warning that external events may trigger local updates. That omission is dangerous because users may not realize the skill can perform background state changes driven by external systems, increasing integrity and injection risks.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The script unconditionally renames package-standalone.json to package.json in the working directory, which modifies local files without prompting, backup, or checking whether an existing package.json should be preserved. This can unexpectedly overwrite or alter the repository state and may break workflows or cause users to run npm install against a changed manifest they did not intend to use.

Missing User Warnings

Low
Confidence
89% confidence
Finding
When --numbered is used, the CLI writes a notion-entry-mapping.json file into the system temp directory containing page ID mappings. Temp directories are often shared across processes/users on the same host and the file is written without restrictive permissions or disclosure, which can unnecessarily expose internal resource identifiers and create residual local state.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly instructs users to store a live Notion API token in `~/.openclaw/.env` but does not include any guidance about protecting that file, avoiding commits, or using safer secret-management practices. This can lead to accidental credential exposure through source control, backups, shared machines, logs, or support screenshots, which would grant access to every Notion resource shared with the integration.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.