ClawHub

Diy Pc Ingest

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Notion import skill, but it can directly overwrite or archive Notion pages without strong safeguards.

Install only if you are comfortable giving this skill write access to Notion. Use a Notion integration shared only with the intended DIY_PC databases, review generated JSONL before running it, and avoid page_id, overwrite, archive, or mirror_to_pcconfig unless you explicitly requested those changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script accepts a caller-supplied page_id and optional archive flag, then performs a direct PATCH on that Notion page without verifying that the page belongs to the expected target data source or limiting the operation to ingest/upsert-only behavior. In an agent setting, this expands the tool from structured ingestion into arbitrary remote record modification/deletion, which can be abused to tamper with unrelated Notion content if an attacker can influence inputs.

Description-Behavior Mismatch

Low
Confidence
84% confidence
Finding
When processing a storage record, the script can also create or update a separate PCConfig row via mirror_to_pcconfig. This hidden side effect broadens the write scope beyond the declared target record, increasing the chance of unintended data modification if an upstream agent or user input sets the flag unexpectedly.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill says it may use web_search/web_fetch for enrichment but does not warn that pasted purchase logs or hardware details could be sent to external services. Even if only partial data is transmitted, receipts, serials, model numbers, and store/date information can be sensitive and create privacy leakage or account/device profiling risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill performs create, update, and archive operations in Notion, but the description lacks an explicit warning that invoking it can modify or remove user data. This is dangerous because users may treat it as a passive parser while it actually makes persistent changes, increasing the chance of accidental overwrites, bad matches, or destructive archival actions.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
This code performs remote create, update, and archive operations based entirely on stdin records, including destructive changes, with no confirmation, authorization check, or safety interlock at the tool boundary. In an AI-agent workflow handling pasted untrusted content, that makes unintended or attacker-influenced remote state changes materially more dangerous.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal