ClawHub

Notion Content Pipeline

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate Notion content workflow, but it needs Review because normal commands can overwrite local drafts, archive Notion pages, update workflow status, and run another local skill.

Install only if you are comfortable giving it a least-privilege Notion integration token and letting it modify both your local drafts and Notion workspace. Keep content under version control or backed up, use --dry-run before the advance workflow, verify or skip the sibling fact-checker step, and replace the published 1Password item reference with your own secure secret-handling process.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill scope expands from sync into automated humanization and fact-check orchestration, which are separate content-processing operations with different risk profiles. This scope drift can surprise users and reviewers, especially because these steps modify local files and may invoke additional tooling beyond what a Notion sync skill would reasonably require.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill explicitly documents execution of a sibling fact-checker script, introducing cross-skill trust and subprocess execution that are not justified by the core Notion sync use case. Cross-skill invocation increases attack surface because a compromised or overly permissive neighboring skill can inherit sensitive content and environment context through this workflow.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script intentionally invokes code from a sibling skill (skills/fact-checker/scripts/fact_check.py), which creates a cross-skill execution trust boundary not obvious from a Notion/markdown sync tool. If that sibling skill is modified, compromised, or less trusted, this pipeline will execute it automatically, enabling unintended code execution during normal content operations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documented automated workflow notes pull/push behavior but does not prominently warn that it will modify local markdown files and create `.humanizer.diff` and `.factcheck.txt` sidecar files. Insufficient disclosure around file mutation is risky because users may run the command expecting synchronization only, then unintentionally overwrite edits or commit generated artifacts.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The pull workflow writes Notion content directly to the specified local markdown path without prompting, backup, or conflict detection. In a two-way sync tool this can destroy local edits or replace trusted content with remote content if the mapping is stale or the Notion page was modified unexpectedly.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
When an existing mapping is present, push archives the existing Notion page and creates a fresh page automatically. This can cause unintended data loss, break links/workflows tied to the old page, and makes destructive behavior the default for a content-sync utility handling user-authored material.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal