Trust Assessment
notion received a trust score of 18/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 8 findings: 2 critical, 1 high, 3 medium, and 2 low severity. Key findings include Arbitrary command execution, Sensitive environment variable access: $HOME, Unpinned npm dependency version.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 46/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings8
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python dynamic code execution (exec/eval/compile) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/moikapy/openclaw-notion-skill/templates/examples/content-scout-example.js:53 | |
| CRITICAL | Direct Command Injection in example script via unsanitized string interpolation The `templates/examples/content-scout-example.js` script constructs a shell command using direct string interpolation for `CONTENT_DB_ID`, `item.title`, and `JSON.stringify(properties)`. If `CONTENT_DB_ID` or `item.title` contain shell metacharacters (e.g., backticks, semicolons, quotes), or if the `JSON.stringify` output contains a single quote, an attacker could inject and execute arbitrary commands. This is a live example demonstrating the vulnerability, making the exploit path direct and high-impact. Rewrite the `exec` call to pass arguments as an array to `child_process.spawn` or use a shell escaping utility for each variable. For example, `exec({ command: ['node', '../notion-cli.js', 'add-entry', CONTENT_DB_ID, '--title', item.title, '--properties', JSON.stringify(properties)] })` if the `exec` utility supports array arguments, or manually escape each string. | LLM | templates/examples/content-scout-example.js:40 | |
| HIGH | Command Injection via unsanitized `exec` arguments in documentation examples The `SKILL.md` documentation provides examples of using `await exec()` where variables (e.g., `databaseId`, `pageId`, `title`, `text`, `query`) are directly interpolated into shell commands. If these variables originate from untrusted user input, an attacker could inject arbitrary shell commands by crafting malicious input (e.g., `databaseId="; rm -rf /"`). The examples do not demonstrate proper shell escaping for these variables, encouraging an LLM to replicate this vulnerable pattern. Implement robust shell escaping for all variables interpolated into `exec` commands. For Node.js, consider using `child_process.spawn` with arguments passed as an array, or a library like `shell-quote` for escaping. Educate users on the importance of sanitizing untrusted input before passing it to shell commands. | LLM | SKILL.md:60 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/moikapy/openclaw-notion-skill/setup-wizard.sh:14 | |
| MEDIUM | Unpinned npm dependency version Dependency '@notionhq/client' is not pinned to an exact version ('^2.2.15'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/moikapy/openclaw-notion-skill/package.json | |
| MEDIUM | Potential for malicious lifecycle scripts via `npm install` The `install.sh` script executes `npm install`. If the `package.json` (or `package-standalone.json`) file, which is part of the untrusted skill package, contains malicious `preinstall`, `postinstall`, or other npm lifecycle scripts, these scripts would be executed during the installation process, leading to arbitrary code execution. This is a known vector for supply chain attacks. Review `package.json` and `package-standalone.json` for any suspicious or unexpected scripts. Consider using `npm install --ignore-scripts` if the skill's functionality does not strictly require custom lifecycle scripts, or sandbox the installation environment. | LLM | install.sh:9 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/moikapy/openclaw-notion-skill/package.json | |
| LOW | Unpinned dependencies in `package.json` The `package.json` file specifies dependencies using caret (`^`) ranges (e.g., `@notionhq/client: "^2.2.15"`). This allows `npm` to install newer minor or patch versions automatically. While convenient, it introduces a minor supply chain risk as a future update to a dependency could inadvertently introduce a vulnerability or breaking change without explicit review. Pin all dependencies to exact versions (e.g., `2.2.15` instead of `^2.2.15`) to ensure reproducible builds and prevent unexpected updates. Regularly audit and update dependencies manually. | LLM | package.json:19 |
Scan History
Embed Code
[](https://skillshield.io/report/973a135bfc02881b)
Powered by SkillShield