done
Fail
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [CREDENTIALS_UNSAFE] (HIGH): The skill prompts the user to input a Notion integration token and then writes it in plaintext to
~/.claude-done/config.json. This is an insecure storage practice as any process or user with access to the home directory can compromise the Notion integration. - Evidence:
cat > ~/.claude-done/config.json << 'EOF' { "notion_token": "<token>", ... } EOFinSKILL.md. - [COMMAND_EXECUTION] (LOW): The skill utilizes several shell commands to gather environment metadata (
date,git rev-parse) and manage the local filesystem (mkdir,cat). It also executes a local Python script viapython3. While these support the primary function, they represent a significant capability surface. - Evidence: Step 1 and Step 5c in
SKILL.md. - [DATA_EXFILTRATION] (LOW): The skill transmits session summaries, which may contain sensitive technical details or code, to the Notion API (
api.notion.com). This is the intended purpose of the skill, but users must trust Notion with the data processed. - Evidence:
urllib.request.Request(f"{NOTION_API}/pages", ...)inscripts/sync_notion.py. - [PROMPT_INJECTION] (LOW): The skill's 'Review the Conversation' step (Step 2) involves processing the entire conversation history to generate a summary. This is a surface for indirect prompt injection if the conversation contains malicious instructions designed to bias the summary or exfiltrate specific data through the Notion sync, though the risk is mitigated by the fact that the summary is not re-executed by the agent.
Recommendations
- AI detected serious security threats
Audit Metadata