ClawHub

Notion Workspace

Security checks across malware telemetry and agentic risk

Overview

This Notion skill mostly does what it says, but it ships with a real-looking embedded Notion token that will be used if the user does not provide their own.

Review before installing. Remove the embedded token or require NOTION_TOKEN to be explicitly set before any request, and revoke or rotate the exposed token if you control it. Only grant a Notion integration access to the specific pages or databases the agent should manage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares access to an environment token and direct network use, but does not declare permissions for those capabilities. That reduces transparency and makes it harder for users or a policy engine to understand that the skill can access secrets and communicate with external services. In this context, the capability is expected for a Notion integration, but undeclared permissions still create avoidable security and governance risk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documentation states that a NOTION_TOKEN environment variable can be used, but also says an embedded default token in the script will be used otherwise, indicating a hardcoded credential. Hardcoded API credentials are highly sensitive because anyone with access to the skill code can reuse the token to access or modify the linked Notion workspace, and the behavior is not transparently disclosed in the declared purpose. The Notion-management context makes this especially dangerous because the credential likely grants real read/write access to remote user data.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code embeds a fallback Notion API token directly in source, which is a real credential exposure and enables unauthorized access to whatever workspace the token can reach. In a workspace-management skill, this is especially dangerous because the token can be used to read databases/pages and modify content without the user's explicit provisioning of credentials.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill supports creating pages and appending blocks in a remote Notion workspace, but the documentation does not clearly warn that these actions will modify external data. Without explicit mutation warnings or confirmation expectations, users may invoke the skill assuming read-only behavior and unintentionally alter production notes, databases, or workflows. Because this skill targets a live SaaS workspace, the risk of accidental integrity-impacting changes is meaningful.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup text normalizes use of an embedded default token without warning about secret sensitivity, token scope, or the danger of shipping credentials inside the skill. This can lead users to unknowingly rely on compromised or shared credentials, and it signals that secret-handling practices are weak. In a skill that can read and write Notion content over the network, poor credential hygiene can directly expose confidential workspace data and allow unauthorized modifications.

Missing User Warnings

High
Confidence
99% confidence
Finding
Using a built-in fallback credential means the skill can access a Notion workspace even when the operator has not explicitly configured authentication, which bypasses clear user consent and disclosure. Because this skill supports reading, listing databases, creating pages, and appending blocks, the embedded token materially expands access beyond what a user may expect from simply running the code.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal