ClawHub

Notion API Tools

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Notion API command-line skill, but users should treat it as capable of reading and changing Notion workspace content.

Install only if you intend to let an agent use a Notion integration token. Use a dedicated least-privilege Notion integration, share only the pages or databases needed, and review any create-page, append-blocks, or update-block command before it runs because those can change workspace content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script implements block retrieval and editing operations (`retrieve-block`, `block-children`, `append-blocks`, `update-block`) that are not reflected in the stated skill metadata, which only describes search/query/create-page behavior. This capability mismatch is dangerous because users or orchestrators may grant trust or run the skill under incomplete assumptions, enabling unintended read/write access to Notion content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill supports creating pages in Notion but does not warn users that invoking it can modify workspace content. In an agent setting, this increases the chance of unintended writes, clutter, or accidental changes to shared organizational data because users may assume the tool is read-only.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The skill instructs users to provide a Notion integration token via environment variable or local config file, but it does not include a privacy/security warning about the scope and sensitivity of that credential. This can lead to overbroad token exposure or use against unintended workspace content if users do not understand that the token grants API access based on the integration’s permissions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal