ClawHub

Gemini Deep Research → Notion

Security checks across malware telemetry and agentic risk

Overview

This skill matches its stated Gemini-to-Notion purpose, but it needs review because it can use your Gemini session and local Notion API key to automatically store full reports in a fixed Notion location.

Review before installing. Use it only if you are comfortable letting the agent operate your logged-in Gemini browser session and create pages in Notion. Replace the hard-coded Notion parent page ID with your own, use a least-privilege Notion integration token shared only with the intended page, avoid sensitive research topics unless you accept storage in Gemini/Notion and /tmp, and expect reports to be requested in Chinese unless the skill is edited.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (10)

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The README states the skill runs as a subagent and is non-blocking, while the skill metadata explicitly says all steps must execute in the main session because the browser tool requires main-session access. This mismatch can mislead operators about execution context, causing the skill to be invoked with broader privileges or different isolation assumptions than documented.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs reading a local Notion API key from ~/.config/notion/api_key, which is credential access from the user's filesystem. That exceeds what a browser-driven research/export workflow inherently requires and creates a path for secret retrieval and reuse without an explicit just-in-time consent step.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README promotes extracting a full research report and exporting it to Notion but does not clearly warn that gathered content will be sent to a third-party service. In a research skill that may process sensitive user queries or browser-extracted data, this omission can lead to unintended data disclosure and weak user consent around external transmission.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger description is broad enough to activate on ordinary requests for research or in-depth reports, which can cause the skill to run unexpectedly. Because this skill performs browser automation, waits for long-running tasks, reads a local secret, and exports content externally, overbroad invocation materially increases the chance of unintended sensitive actions.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill directs exfiltration of the extracted report to Notion but does not require a clear user warning or consent immediately before transmission. This is dangerous because the generated report may contain sensitive user-provided prompts, research content, or derived information that the user did not intend to store in a third-party service.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill accesses a local Notion API key with no explicit user warning or authorization step. Silent secret access is dangerous because it normalizes credential harvesting behavior and can enable unauthorized actions against the user's Notion workspace.

Natural-Language Policy Violations

High
Confidence
90% confidence
Finding
The instruction to always prepend '请用中文回答。' overrides user intent and alters the content of the outbound query without opt-in. While not a classic security issue by itself, it is a policy-bypassing behavior that can misrepresent user requests, affect downstream handling, and increase the risk of unintended disclosure or incorrect outputs.

External Transmission

Medium
Category
Data Exfiltration
Content
- Split rich_text at 2000 chars
3. Create the page via Notion API:
   ```bash
   curl -s -X POST "https://api.notion.com/v1/pages" \
     -H "Authorization: Bearer $NOTION_KEY" \
     -H "Notion-Version: 2025-09-03" \
     -H "Content-Type: application/json" \
Confidence
93% confidence
Finding
curl -s -X POST "https://api.notion.com/v1/pages" \ -H "Authorization: Bearer $NOTION_KEY" \ -H "Notion-Version: 2025-09-03" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
- Split rich_text at 2000 chars
3. Create the page via Notion API:
   ```bash
   curl -s -X POST "https://api.notion.com/v1/pages" \
     -H "Authorization: Bearer $NOTION_KEY" \
     -H "Notion-Version: 2025-09-03" \
     -H "Content-Type: application/json" \
Confidence
93% confidence
Finding
https://api.notion.com/

Session Persistence

Medium
Category
Rogue Agent
Content
3. Get total length: `document.querySelectorAll('message-content')[2]?.innerText?.length`
4. Extract in 8000-char chunks using substring: `document.querySelectorAll('message-content')[N]?.innerText?.substring(START, END)`
5. Concatenate all chunks into the full report text
6. Save to a temp file: write full report to `/tmp/deep_research_<timestamp>.md`

### Phase 4: Export to Notion
Confidence
84% confidence
Finding
write full report to `/tmp/deep_research_<timestamp>.md` ### Phase 4: Export to Notion **Parent page ID:** `31a4cfb5-c92b-809f-9d8a-dd451718a017` (Deep Research Database) 1. Read the Notion API key

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal