Trust Assessment
notion-sync received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 2 critical, 1 high, 1 medium, and 1 low severity. Key findings include Credential harvesting, Arbitrary File Write via User-Controlled Path, Arbitrary File Read and Exfiltration to Notion.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 46/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Credential harvesting macOS Keychain credential access Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/robansuini/notion-sync/scripts/notion-utils.js:189 | |
| CRITICAL | Arbitrary File Write via User-Controlled Path The `notion-to-md.js` script takes an `outputFile` path directly from command-line arguments without sanitization. A malicious actor could provide a path to a sensitive system file (e.g., `/etc/passwd`, `/root/.ssh/authorized_keys`) to overwrite it with the content of a Notion page. This could lead to denial of service, privilege escalation, or system compromise. Implement strict validation for the `outputFile` argument. Ensure it refers to files within an expected, non-sensitive directory (e.g., a designated skill workspace or temporary directory) and does not contain path traversal sequences like `../`. Consider using `path.resolve` with a secure base directory or restricting file writes to explicitly allowed locations. | LLM | scripts/notion-to-md.js:50 | |
| HIGH | Arbitrary File Read and Exfiltration to Notion The `add-to-database.js` and `md-to-notion.js` scripts read the content of a user-controlled markdown file path (`mdPath` or `mdFile`) and then upload this content to Notion. A malicious actor could provide a path to a sensitive local file (e.g., `/etc/passwd`, `/root/.ssh/id_rsa`, environment variables) causing its content to be exfiltrated to the Notion workspace associated with the API key. This constitutes a significant data exfiltration risk. Implement strict validation for the `mdPath` (or `mdFile`) argument. Ensure it refers to files within an expected, non-sensitive directory (e.g., a designated skill workspace or temporary directory) and does not contain path traversal sequences like `../`. Avoid allowing arbitrary file paths for reading and subsequent uploading. | LLM | scripts/add-to-database.js:26 | |
| MEDIUM | Arbitrary File Read for Comparison The `watch-notion.js` script reads the content of a user-controlled `localPath` for comparison with Notion content. While the content itself is not directly outputted, the ability to read arbitrary files on the system (e.g., `/etc/passwd`, `/root/.ssh/id_rsa`) by providing a malicious `localPath` is an excessive permission and potential information disclosure risk. An attacker could infer information about file existence or content changes. Implement strict validation for the `localPath` argument. Ensure it refers to files within an expected, non-sensitive directory (e.g., a designated skill workspace or temporary directory) and does not contain path traversal sequences like `../`. Avoid allowing arbitrary file paths for reading. | LLM | scripts/watch-notion.js:70 | |
| LOW | Excessive Permissions in Token File Reading The `resolveToken` function in `notion-utils.js` reads the Notion API token from a file specified by the `--token-file` argument. If a malicious actor can control this argument, they could potentially cause the script to read an arbitrary file on the system and attempt to use its content as an API token. While the content is not directly exfiltrated, this represents an excessive permission to read arbitrary files, which could lead to unexpected behavior or be part of a more complex attack chain. While reading a token from a file is a valid use case, ensure that the path provided for `--token-file` is validated to prevent path traversal attacks. For example, ensure it's an absolute path or relative to a secure configuration directory, and that it doesn't contain `..` segments. | LLM | scripts/notion-utils.js:38 |
Scan History
Embed Code
[](https://skillshield.io/report/e5fc58bd590dee76)
Powered by SkillShield