ClawHub
Back to skill
v1.0.0

Notion Brain

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:02 AM.

Analysis

This is a coherent Notion-saving skill, but it can let an agent write or overwrite Notion pages and persist selected content to workspace memory without clear per-write confirmation.

GuidanceInstall only if you want an agent to save selected content into Notion. Before use, replace the placeholder Notion IDs, restrict the Notion integration to the intended pages/databases, and require confirmation before updating, replacing, or saving sensitive content or writing it to workspace memory.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
SKILL.md
Also trigger when an agent produces a research summary, decision memo, project plan, status update, article draft, security audit, financial snapshot, weekly rollup, contact note, meeting prep...

The skill can activate on agent-generated content, including sensitive or durable artifacts, rather than only after an explicit user request to save that specific item.

User impactThe agent may decide to save sensitive or important generated content into Notion without a clear user approval step for each write.
RecommendationRequire explicit confirmation before creating or updating Notion pages, especially for financial, security, contact, or work-related content.
Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
references/mcp-commands.md
Or to fully replace content (use with care): ... "command": "replace_content" ... "new_str": "## Updated Section\n\nFresh content replaces everything."

The documented workflow includes full replacement of existing Notion page content, which is a high-impact mutation and lacks a required backup or user confirmation step.

User impactExisting Notion pages, such as recurring status pages or rollups, could be overwritten or lose prior content.
RecommendationAdd a mandatory confirmation and backup/fetch step before using replace_content, and prefer append/update operations unless the user explicitly approves replacement.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
references/mcp-commands.md
The connected tools are: - `notion-search` ... - `notion-create-pages` ... - `notion-update-page` ... - `notion-fetch`

The skill expects access to connected Notion tools that can read, create, and update workspace pages; this is purpose-aligned but depends on the permissions of the user's Notion integration.

User impactIf the Notion integration has broad workspace permissions, the agent may be able to access or modify more pages than intended.
RecommendationUse the least-privileged Notion integration possible and grant access only to the intended hubs or databases.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityMediumConfidenceHighStatusConcern
SKILL.md
Always write to workspace memory separately when the content also matters for agent continuity.

The skill adds a second persistence path outside Notion, but does not define retention, exclusions, user approval, or how sensitive saved memory should be reused later.

User impactSensitive details saved for Notion may also persist in agent memory and influence future tasks beyond the original save operation.
RecommendationAsk before writing to workspace memory, define what types of content are allowed, and exclude sensitive finance, security, health, or personal-contact details unless explicitly approved.