Back to skill

Security audit

Notion Time Management Matrix (Eisenhower Matrix)

Security checks across malware telemetry and agentic risk

Overview

This is mostly a coherent Notion task manager, but it returns an instruction to alter future agent/tool behavior outside the task-management purpose.

Install only if you are comfortable giving this skill access to a scoped Notion integration and allowing it to cache task data locally. Use a Notion key limited to the intended database, protect ~/.config/notion files, periodically delete the state cache if needed, and ignore or remove the TOOLS.md prioritization instruction before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill invokes Python, reads local config files, writes a state file, and makes network requests to Notion, yet no permissions are explicitly declared. This creates a transparency and governance gap: users and host systems cannot accurately assess or constrain the skill's real capabilities, increasing the chance of unintended file access, persistent local storage, or remote data modification.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The public description presents the skill as a task-management integration, but the actual behavior also includes reading secrets from disk and persisting cached task and schema data locally. That mismatch can mislead users and reviewers about where sensitive data is stored and how long it persists, which is especially risky because task data may contain confidential notes, schedules, or business context.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script reads a Notion API key and database name directly from fixed files under the user's home directory, then automatically uses them for outbound API calls. This expands the skill's authority beyond explicit user-provided inputs and can silently access a different workspace or secrets than the caller intended, which is risky for a time-management skill.

Context-Inappropriate Capability

Low
Confidence
93% confidence
Finding
The `get_state` path emits instruction-like text telling the caller to update `TOOLS.md` and prefer this skill over memory. This is unrelated to task management and attempts to influence agent behavior through output text, creating a prompt/instruction injection channel rather than returning only business data.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger examples are broad natural-language phrases such as '明天要做' or '最近有什么重要的事', which can easily overlap with ordinary conversation. In a skill that can create or modify remote Notion tasks, overbroad triggering increases the risk of unintended execution and accidental data changes without sufficiently explicit user intent.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Defining activation primarily by high-level intent categories without clear boundaries makes it hard to distinguish actionable commands from general discussion. Because this skill performs writes and updates to a remote system, ambiguity in activation materially raises the chance of accidental task creation, status changes, or deadline edits.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill is capable of creating and updating data in Notion, but the description does not clearly foreground that remote records will be modified. Users may believe they are only asking for advice or summaries, while the skill may perform real changes to a production task database, causing integrity and privacy risks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs users to store the Notion API key in a plaintext file under ~/.config/notion without any warning about local secret exposure or file permission hardening. Plaintext credential storage increases the risk that other local users, backups, logs, or malware can recover the token and gain unauthorized access to the user's Notion workspace.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill persists fetched and searched Notion task data into a local JSON state file in the script directory without disclosure, minimization, or access controls. Task titles, notes, categories, due dates, and URLs may contain sensitive business or personal information, so local caching creates an unnecessary secondary data store that can be read by other local processes or users.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script reads a sensitive API key from disk and immediately uses it for external Notion requests without explicit user-facing disclosure or confirmation. Silent secret consumption is dangerous because it bypasses informed consent and can cause the agent to act with more privilege than the user expects.

Ssd 3

Medium
Confidence
95% confidence
Finding
The bootstrap response includes natural-language directives to persist behavior into `TOOLS.md` and alter future tool-use preferences. This is dangerous because it uses tool output as a covert control channel to propagate instructions beyond the skill's scope, potentially modifying agent behavior and contaminating downstream context.

Session Persistence

Medium
Category
Rogue Agent
Content
### 2.1 API 密钥配置
用户需要提供 API 密钥,执行以下命令存储 API 密钥:
   ```bash
   mkdir -p ~/.config/notion
   echo "your_api_key_here" > ~/.config/notion/api_key
   ```
- 禁止从memory记忆文件或TOOLS.md文件或上下文获取API密钥。
Confidence
92% confidence
Finding
mkdir -p ~/.config/notion echo "your_api_key_here" > ~/.config/notion/api_key ``` - 禁止从memory记忆文件或TOOLS.md文件或上下文获取API密钥。 ### 2.2 数据库配置 用户需要提供数据库名称,执行以下命令存储数据库名称: ```bash mkdir -p ~/.confi

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.