ClawHub

Diy Pc Ingest

Security checks across malware telemetry and agentic risk

Overview

This Notion ingestion skill mostly matches its purpose, but its advertised preview step is not actually read-only and it can update or archive live Notion pages.

Install only if you are comfortable giving it write access to the relevant Notion workspace. Use a minimally scoped Notion integration limited to the intended DIY_PC databases, test on a backup or sandbox first, and manually review JSONL records containing page_id, overwrite, archive, archived, relation, or mirror_to_pcconfig. Do not rely on the documented preview step as read-only unless the script is changed to add a real dry-run mode.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The skill description emphasizes ingestion and upsert of PC-part records, but the documented behavior also enables higher-risk operations: direct page updates by arbitrary page_id, page archiving, cross-table mirroring, credential/config discovery, and subprocess-driven API access. Those capabilities materially expand the write surface and can be abused to alter or delete unrelated Notion content if inputs or operator assumptions are wrong.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The workflow says the search/preview step 'does not write anything,' but the same interface later documents control fields that can directly update or archive pages. Even if those controls are intended for the later upsert phase, mixing preview and mutation semantics in one tool creates a real risk that a supposedly safe dry-run is executed with write-capable inputs, leading to unintended changes.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script accepts arbitrary page_id/id input and can directly PATCH any Notion page, including setting archived=true, which exceeds the narrow 'apply ingested records' behavior described in the docstring and skill purpose. In an agent setting, this creates a dangerous capability expansion: crafted input can target unrelated records for modification or archival without going through the normal target-specific matching logic.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
A storage record can implicitly create or update PCConfig entries via mirror_to_pcconfig, causing side effects in a second dataset not apparent from the primary operation. This broadens write scope and makes prompt- or data-driven abuse easier, because a user or model intending to update storage can unintentionally alter PC configuration inventory as well.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script does more than apply records to the explicitly requested target table: when a storage record includes mirror_to_pcconfig, it automatically creates or updates a second table. In an ingestion skill that processes user-pasted text and then writes to Notion, this broadens write scope and can cause unintended or surprising cross-database modification if upstream classification is wrong or an attacker can influence input shaping.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
A record containing page_id plus archive/archived can archive an existing Notion page directly, with no local validation that the page belongs to the expected target database or that destructive action was separately authorized. In an agent skill that consumes structured records derived from user text, this increases the chance of accidental or attacker-influenced destructive modification of remote data.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal