ClawHub

Notion Pipeline

Security checks across malware telemetry and agentic risk

Overview

This Notion workflow skill is mostly coherent, but one approval command can schedule another local agent to write files and send Telegram messages, which is broader than the description makes clear.

Install only if you intentionally want a local idea-factory automation skill, not just a Notion helper. Use a least-privilege Notion token, review the fixed /Users/dellymac paths, local env-file token storage, Telegram target 1565027149, Europe/Istanbul timezone default, and the handle-approval cron behavior before running write or approval commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This script is described as a Notion pipeline, but it also orchestrates local automation by spawning the openclaw CLI, reading local cron job state, creating persistent scheduled jobs, and constructing downstream agent instructions. That expands the trust boundary from Notion CRUD into host-level task execution and autonomous agent control, which is dangerous because invoking a seemingly benign approval action can cause unintended local actions and follow-on side effects outside Notion.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The approval path silently creates a cron job that launches another agent session with a long, action-oriented prompt, causing durable autonomous execution after a simple idea approval. In the context of a Notion management skill, this is especially risky because a data-layer action becomes a trigger for local persistence, filesystem writes, rendering commands, and external messaging without a clear security boundary.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly supports creating, updating, and appending content in remote Notion databases, but it does not prominently warn that these commands perform live state-changing operations. In an agent setting, this increases the chance of unintended writes, data corruption, or overwriting production records when the skill is invoked without clear operator awareness or confirmation gates.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script persists the Notion bearer token and other configuration values to a local env file without any visible warning, consent, or safeguards in this file. Storing credentials in plaintext can expand exposure through accidental commits, permissive file permissions, shell history/workspace leakage, or other local tooling that reads env files.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The spawned workflow includes instructions to send a Telegram message to a fixed target, yet the code provides no user-facing confirmation or consent step before scheduling that behavior. This creates a risk of unauthorized or accidental external communications, especially since the transmission is embedded in a downstream prompt rather than surfaced as a direct, reviewable action.

Ssd 4

Medium
Confidence
96% confidence
Finding
The code embeds a detailed multi-step instruction block directing another agent to create directories, read project data, write files, invoke rendering commands, update Notion, and send Telegram messages. Hardcoding an autonomous action plan into a scheduled prompt is dangerous because it turns one local subprocess call into a broad chain of externalized actions with limited validation, review, or containment.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal