ClawHub

Notion Manager

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Notion helper, but it can read and modify Notion content that you share with its integration token.

Install only after verifying the npm package, use a dedicated least-privilege Notion integration, share only the pages or databases you want the agent to access, protect the local token file with restrictive permissions, and review create or update actions before they run because they can change live Notion workspace data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly documents create and update operations against live Notion pages/databases but does not warn that these commands modify remote user data. In an agent-skill context, that omission increases the chance of accidental destructive or unauthorized changes because users may treat examples as read-only guidance when they are not.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions show how to export and use a sensitive Notion token without any credential-handling warning, least-privilege guidance, or caution about shell history and accidental disclosure. In an agent setting, this can lead to token leakage or misuse, granting API access to the user's Notion workspace.

Session Persistence

Medium
Category
Rogue Agent
Content
## Setup

- Install notion-cli: `npm install -g @iansinnott/notion-cli`
- Create an integration at https://notion.so/my-integrations
- Copy the API key (starts with *ntn_* or *secret_*)
- Store it:
  - `mkdir -p ~/.config/notion`
Confidence
88% confidence
Finding
Create an integration at https://notion.so/my-integrations - Copy the API key (starts with *ntn_* or *secret_*) - Store it: - `mkdir -p ~/.config/notion` - `echo "ntn_your_key_here" > ~/.config/no

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal