ClawHub

Notion Brain

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Notion-saving skill, but it can create, overwrite, and duplicate persistent content with broad activation rules and limited confirmation guidance.

Install only if you want an agent to save structured content into your Notion workspace. Limit the Notion integration to specific safe pages/databases, replace placeholders carefully, and require explicit confirmation before any Notion write, comment, memory save, or replace_content operation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill is explicitly scoped around native Notion MCP tools, but this section introduces a direct raw HTTP call to the Notion Comments API. Expanding from approved MCP-mediated actions to arbitrary API usage broadens the execution surface, bypasses the stated tool boundary, and can enable unreviewed writes or future exfiltration patterns under the guise of documentation.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The webhook section describes future bidirectional sync, change detection, and triggering agent workflows from Notion changes, which materially exceeds a one-way save-to-Notion skill. Even as 'future capability' documentation, it normalizes a design that could ingest workspace changes, trigger actions without fresh user intent, and create a much broader trust and data-flow boundary.

Context-Inappropriate Capability

Low
Confidence
83% confidence
Finding
The operational advice tells the agent to also write routed content to workspace memory, which expands data retention beyond the user's stated save-to-Notion request. That creates unnecessary duplication of potentially sensitive content and conflicts with the documented boundary that memory-only writes should be skipped.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger language is extremely broad and includes many ordinary phrases plus an instruction to ALWAYS trigger on whole classes of durable content. In practice, this can cause the skill to activate in situations where the user did not clearly intend an external write, increasing the chance of oversharing sensitive data to Notion or performing writes without sufficiently explicit consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill repeatedly instructs the agent to write content to a Notion workspace but does not prominently warn that this is an external data sink or require user-facing confirmation at write time. This is risky because users may interpret the action as internal organization rather than transmission to a third-party workspace, especially when handling research, audits, finance artifacts, or contact notes.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This file documents creation, replacement, append, and property-update operations that can modify Notion workspace data, including destructive replace behavior, without an explicit warning or confirmation requirement. In an agent context, omission of guardrails increases the chance of unintended writes, overwrites, or duplicate content being committed to a live knowledge base.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal