notion-coworker Security Report — Low Risk | ClawSafe

20 /100

notion-coworker

An autonomous Notion coworker agent that monitors Gmail for Notion comment mentions and replies to discussion threads with researched answers and documented research subpages.

A legitimate Notion coworker automation skill described entirely through documentation; no executable code, scripts, or dependencies present. Minor doc inconsistencies exist around Phase 6 email management steps but do not indicate malicious intent.

Skill Namenotion-coworker

Duration42.3s

Enginepi

✓

Safe to install

Approve for use. The skill is documentation-only (purely prompt/instruction content). No action required beyond clarifying Phase 6 email-labeling steps in documentation if the implementing agent lacks those Gmail capabilities.

Findings 2 items

Severity	Finding	Location
Low	Phase 6 contains contradictory email management instructions Doc Mismatch Phase 6 first states 'Gmail modification tools (label, archive, mark-as-read) are not currently available' then immediately instructs to '(1) apply a label notion-coworker, (2) mark as read, and (3) archive'. This inconsistency suggests the author either expected Gmail tool access that isn't available, or the step was copy-pasted without cleanup. No code exists to evaluate which path is intended. `Because Gmail modification tools (label, archive, mark-as-read) are not currently available, clearly list each processed email...` → Clarify Phase 6: either remove the 'apply label, mark read, archive' step or explicitly document that a Gmail tool with write/modify access is required. This is a documentation hygiene issue, not a security concern given no code is present.	`SKILL.md:167`
Low	Memory/conversation history access not declared in capability model Doc Mismatch Phase 3 Level 1 references 'conversation_search' and 'recent_chats' tools to access conversation history and memory. This constitutes filesystem-like or environment-like data access that is not declared in the skill's capability model. However, this is standard agent memory functionality and is standard for autonomous agents. `Use conversation_search and recent_chats tools to find relevant past exchanges` → If the implementing platform exposes these tools, ensure they are declared in the allowed-tools mapping. Otherwise, this is a documentation gap with no current security impact.	`SKILL.md:67`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	Gmail read, web search, Notion API calls — all documented in phases 1, 3, 4, 5
Filesystem	`NONE`	`NONE`	—	No filesystem access described or implied
Shell	`NONE`	`NONE`	—	No shell, subprocess, or command execution described
Environment	`NONE`	`NONE`	—	No environment variable access described
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation described
Clipboard	`NONE`	`NONE`	—	No clipboard access described
Browser	`NONE`	`NONE`	—	No browser automation described; web search uses API not browser
Database	`NONE`	`NONE`	—	No database access described

1 findings

📧

Info Email 邮箱地址

[email protected]

SKILL.md:5

File Tree

1 files · 8.9 KB · 218 lines

Markdown 1f · 218L

└─ 📝 SKILL.md Markdown 218L · 8.9 KB

Security Positives

✓ No executable code, scripts, or binaries present — skill is purely a documentation/prompt file

✓ No credential harvesting, API key enumeration, or environment variable access

✓ No network requests to raw IPs, no base64 payloads, no obfuscation

✓ No curl|bash, wget|sh, or remote script execution patterns

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, key files)

✓ No supply chain risk — no dependencies (requirements.txt, package.json, etc.)

✓ Gmail access is explicitly scoped to reading [email protected] notifications — narrow and legitimate

✓ Web search is scoped to research phase only — not used for data exfiltration

✓ Stated purpose (autonomous Notion coworker) matches actual documented behavior

Scan Report

Findings 2 items

File Tree

Security Positives