hocnhanh_n8n

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Notion API helper, but it can read and change any Notion content shared with its integration token.

Use a dedicated Notion integration, share only the pages or databases the agent truly needs, and treat POST/PATCH examples as live changes. Store the token securely, restrict the key file permissions if using the documented file approach, avoid committing or syncing it, and rotate the token if exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill documents authenticated write operations against the Notion API, including creating pages, databases/data sources, updating properties, and appending blocks, but it does not warn that these commands modify remote user data or that the bearer token grants access to shared Notion content. In an agent setting, this can lead to unintended data changes, broad content exposure to a third party service, and careless credential handling if users copy the examples verbatim.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal