notion-clipper-skill
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE] (HIGH): The script reads sensitive Notion API keys from a hardcoded, predictable local path (~/.config/notion/api_key) in scripts/paths.ts. This makes the user's Notion credentials vulnerable to any other process or skill with local file read access.- [PROMPT_INJECTION] (HIGH): Indirect Prompt Injection surface. The skill ingests untrusted data from arbitrary web URLs. Findings include:
- Ingestion Points: The captureUrl function in scripts/main.ts uses Chrome CDP to fetch HTML content from external URLs.
- Boundary Markers: No boundary markers or 'ignore instructions' directives are used when processing or converting the fetched content.
- Capability Inventory: The skill has Notion workspace write access (createPageInDatabase, appendBlocksToPage) and local command execution via npx.
- Sanitization: While HTML and URLs are cleaned for formatting and Notion API compatibility in scripts/html-to-markdown.ts and scripts/markdown-to-notion.ts, there is no filtering for adversarial instructions within the content.- [COMMAND_EXECUTION] (MEDIUM): Uses launchChrome to spawn a browser subprocess and npx for runtime execution, providing a mechanism for local system interaction.- [EXTERNAL_DOWNLOADS] (LOW): Automatically runs npm install to fetch dependencies as specified in the SKILL.md Agent Execution Instructions. While dependencies like @tryfabric/martian are standard, the automatic download and execution of packages from npmjs.com is a notable vector.
Recommendations
- AI detected serious security threats
Audit Metadata