ClawHub

recall-from-notion

Security checks across malware telemetry and agentic risk

Overview

This read-only Notion memory skill is purpose-aligned, but it proactively and silently uses personal memories in broad situations, so users should review its privacy behavior before installing.

Install only if you want your agent to consult your Notion Memory Store proactively. Use least-privilege Notion access, avoid storing secrets or sensitive internal links in the memory database, and explicitly ask for a fresh or generic answer when you do not want memory used.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
96% confidence
Finding
The skill is designed to trigger proactively at the beginning of conversations and on broad cues, which can cause memory retrieval without a clear, current user request. Because the data source is a personal memory store, broad automatic activation increases the chance of unnecessary access to privacy-sensitive information and inappropriate context injection.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The 'When to Trigger' guidance is expansive and ambiguous, covering many ordinary conversation openings and domain-specific tasks. In a memory-retrieval skill, this creates a real risk of over-collection and use of stored personal data in situations where recall is not necessary for the user's request.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill instructs the agent to read user memories from Notion and later emphasizes silent behavior, but does not require a user-facing notice or contemporaneous consent. Silent access to a personal memory database is privacy-sensitive because users may not realize their stored notes are being queried and used in the current conversation.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill tells the agent to inject recalled memories as context and to include key details such as IDs, commands, and URLs verbatim. Verbatim propagation of stored details can expose secrets, internal links, identifiers, or other sensitive personal/project information to downstream model context or user-visible output beyond what is necessary.

Ssd 3

Medium
Confidence
95% confidence
Finding
Proactive and silent recall of personal memories can surface stored background, preferences, and prior decisions without an explicit current request from the user. Even if the intent is convenience, this increases the likelihood of revealing sensitive personal context in situations where the user expected a fresh or generic response.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal