Back to skill

Security audit

notion-agent-memory

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Notion memory template, but it encourages persistent credential notes and ongoing email/calendar or cron-style monitoring without enough safeguards.

Install only if you intentionally want an agent memory workflow. Do not store raw passwords, API keys, tokens, recovery codes, or session details in MEMORY.md, daily logs, AGENTS.md, or Notion; store only references to a password manager or secret vault. Use a dedicated low-privilege Notion integration shared only with the needed pages or databases. Treat heartbeat, email/calendar checks, and cron/background jobs as opt-in features that need explicit scope, review, and a clear way to disable them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (28)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This template expands a Notion-based memory skill into recurring email/calendar access and cron-driven background activity, which materially changes the capability and trust boundary of the skill. In an agent context, these instructions can lead to unauthorized or unexpected monitoring of external services and persistence beyond the user’s understanding of the skill’s purpose.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The file directs the agent to perform active polling, session resumption, alerting, and operational monitoring that go beyond passive memory persistence described by the skill metadata. This mismatch is dangerous because users may enable what appears to be a memory tool while unknowingly granting behavior closer to an autonomous monitoring assistant.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The template explicitly tells users or agents to store 'Access credentials and tools' in long-term persistent memory. In an agent-memory skill, that is dangerous because credentials may be retained in broadly accessible notes, synced systems, prompts, or later model context, increasing exposure and reuse risk well beyond the immediate task.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The template explicitly tells users to place 'Credentials and access' into long-term memory files, which broadens sensitive secret storage into general workspace documentation. In an agent-memory skill, these files are likely to be repeatedly read, copied, synced, or exposed to other tools and future sessions, increasing the chance of credential disclosure well beyond the stated memory-persistence purpose.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The template provides shell commands that directly read a Notion API token from a local secret file and inject it into outbound requests. Even though this may be intended as convenience documentation, it normalizes secret material being pulled into command lines and teaches a pattern that can leak via shell history, logs, process inspection, screenshots, or reuse in unsafe contexts.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The document explicitly says to save credentials and document how to use them in memory artifacts, which promotes retention of secrets in generalized agent memory rather than in a dedicated secret-management system. In the context of an agent-memory skill, this is more dangerous because the whole purpose is persistence across sessions, increasing the chance of over-collection, accidental disclosure, and long-term exposure of sensitive access data.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill description is broadly scoped to 'memory persistence' and 'helping agents remember context across sessions,' which can cause the skill to activate in many ordinary conversations about memory, notes, or context management. Over-broad activation increases the chance an agent applies persistence behaviors unexpectedly, leading to unsolicited reading or writing of workspace files and expansion of the skill's influence beyond user intent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The session rituals direct an agent to read multiple persistent files and update logs 'EVERY session' without requiring user consent, scope checks, or privacy review. This normalizes automatic access and modification of potentially sensitive workspace data, creating a risk of unauthorized data collection, retention, and tampering even in sessions unrelated to memory management.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The template instructs routine checking of email and calendar, both of which commonly contain sensitive personal and business data, without any warning, consent flow, or minimization guidance. That creates a privacy risk because an agent could normalize access to high-sensitivity sources under the guise of a simple heartbeat check.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The persistent monitoring and cron job guidance encourages ongoing automated activity across session boundaries without clearly disclosing privacy, resource, and persistence implications to the user. This is risky because background monitoring can continue silently, collect sensitive information over time, and be difficult for users to notice or stop.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The template encourages storing credentials but provides no warning that passwords, API keys, tokens, recovery codes, or private links are sensitive and should not be written into persistent memory. In this skill context, omission of such warnings makes unsafe handling more likely because the whole document is framed as a best-practice memory workflow for agents and humans.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Encouraging long-term memory storage of credentials and access details without any sensitivity warning is unsafe because these files are designed to persist and be consulted regularly. In this skill's context, memory artifacts are effectively a knowledge base for future agent sessions, so putting secrets there makes accidental disclosure significantly more likely.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The file includes authenticated network request examples that consume a local API token but gives no warning about credential handling, least privilege, or data exposure. In a reusable template for agents, omission of these safeguards is dangerous because users may copy the examples verbatim into broader automation where secrets and transmitted data are less controlled.

Missing User Warnings

High
Confidence
98% confidence
Finding
The file instructs users to save and document credentials with usage examples but gives no safeguards for secret handling, storage boundaries, or redaction. This is dangerous because it normalizes putting secrets into durable memory artifacts where they may be exposed to future sessions, other tools, logs, or unauthorized readers.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide tells users to write a live Notion API secret to a predictable local file but does not mention treating it as a credential, restricting file permissions, or avoiding shell history and accidental disclosure. In an agent-memory skill, this is more dangerous because the whole purpose is persistent automation, increasing the chance that long-lived secrets are stored insecurely and later reused by scripts or exposed to other local users/processes.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The examples perform authenticated reads and writes against Notion without warning that data is being sent to a third-party SaaS and that pages may be created or modified remotely. In a memory/persistence skill, users may paste sensitive conversational or operational context into these workflows, so omitted disclosure meaningfully raises privacy and integrity risk.

Ssd 3

High
Confidence
99% confidence
Finding
By instructing long-term retention of access credentials in a natural-language memory file, the template creates a durable data-retention and leakage path. Such files are likely to be copied, searched, summarized, synced, or surfaced back into future prompts, which can unintentionally disclose secrets to users, plugins, logs, or downstream systems.

Ssd 3

Medium
Confidence
93% confidence
Finding
The trigger 'Someone says "remember this"' encourages indiscriminate persistence based on conversational phrasing rather than data sensitivity. In an agent-memory skill, this can cause accidental capture of secrets, personal data, confidential instructions, or one-time tokens simply because a user asked for retention.

Ssd 3

High
Confidence
97% confidence
Finding
The text encourages retaining sensitive user-provided information, including credentials and anything the operator says to remember, without any minimization or classification controls. In an agent-memory skill, this creates a strong risk of persistent storage of secrets and sensitive instructions beyond their immediate need, enabling leakage, misuse, or unintended propagation.

Ssd 3

High
Confidence
98% confidence
Finding
The 'Red Flags — Update Immediately' section tells the agent to persist new credentials, access methods, changed procedures, and anything the operator says to remember, reinforcing long-term retention of highly sensitive information. Because this file is specifically about continuity and memory across sessions, the guidance materially increases the blast radius and duration of any sensitive-data exposure.

External Transmission

Medium
Category
Data Exfiltration
Content
TOKEN=$(grep -o '"token"[[:space:]]*:[[:space:]]*"[^"]*"' ~/.config/notion/api_key | cut -d'"' -f4)
DB_ID="your-database-id-here"

curl -s -X POST "https://api.notion.com/v1/databases/$DB_ID/query" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Notion-Version: 2022-06-28" \
  -H "Content-Type: application/json" \
Confidence
89% confidence
Finding
curl -s -X POST "https://api.notion.com/v1/databases/$DB_ID/query" \ -H "Authorization: Bearer $TOKEN" \ -H "Notion-Version: 2022-06-28" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
TOKEN=$(grep -o '"token"[[:space:]]*:[[:space:]]*"[^"]*"' ~/.config/notion/api_key | cut -d'"' -f4)
DB_ID="your-database-id-here"

curl -s -X POST "https://api.notion.com/v1/pages" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Notion-Version: 2022-06-28" \
  -H "Content-Type: application/json" \
Confidence
91% confidence
Finding
curl -s -X POST "https://api.notion.com/v1/pages" \ -H "Authorization: Bearer $TOKEN" \ -H "Notion-Version: 2022-06-28" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
TOKEN=$(grep -o '"token"[[:space:]]*:[[:space:]]*"[^"]*"' ~/.config/notion/api_key | cut -d'"' -f4)
PAGE_ID="your-page-id-here"

curl -s -X PATCH "https://api.notion.com/v1/pages/$PAGE_ID" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Notion-Version: 2022-06-28" \
  -H "Content-Type: application/json" \
Confidence
91% confidence
Finding
curl -s -X PATCH "https://api.notion.com/v1/pages/$PAGE_ID" \ -H "Authorization: Bearer $TOKEN" \ -H "Notion-Version: 2022-06-28" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
TOKEN=$(grep -o '"token"[[:space:]]*:[[:space:]]*"[^"]*"' ~/.config/notion/api_key | cut -d'"' -f4)
DB_ID="your-database-id-here"

curl -s -X POST "https://api.notion.com/v1/databases/$DB_ID/query" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Notion-Version: 2022-06-28" \
  -H "Content-Type: application/json" \
Confidence
89% confidence
Finding
https://api.notion.com/

External Transmission

Medium
Category
Data Exfiltration
Content
TOKEN=$(grep -o '"token"[[:space:]]*:[[:space:]]*"[^"]*"' ~/.config/notion/api_key | cut -d'"' -f4)
PAGE_ID="your-page-id-here"

curl -s "https://api.notion.com/v1/pages/$PAGE_ID" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Notion-Version: 2022-06-28"
```
Confidence
84% confidence
Finding
https://api.notion.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.