notion-coworker 安全扫描报告 — 低风险 | ClawSafe

20 /100

notion-coworker

An autonomous Notion coworker agent that monitors Gmail for Notion comment mentions and replies to discussion threads with researched answers and documented research subpages.

A legitimate Notion coworker automation skill described entirely through documentation; no executable code, scripts, or dependencies present. Minor doc inconsistencies exist around Phase 6 email management steps but do not indicate malicious intent.

技能名称notion-coworker

分析耗时42.3s

引擎pi

✓

可以安装

Approve for use. The skill is documentation-only (purely prompt/instruction content). No action required beyond clarifying Phase 6 email-labeling steps in documentation if the implementing agent lacks those Gmail capabilities.

安全发现 2 项

严重性	安全发现	位置
低危	Phase 6 contains contradictory email management instructions 文档欺骗 Phase 6 first states 'Gmail modification tools (label, archive, mark-as-read) are not currently available' then immediately instructs to '(1) apply a label notion-coworker, (2) mark as read, and (3) archive'. This inconsistency suggests the author either expected Gmail tool access that isn't available, or the step was copy-pasted without cleanup. No code exists to evaluate which path is intended. `Because Gmail modification tools (label, archive, mark-as-read) are not currently available, clearly list each processed email...` → Clarify Phase 6: either remove the 'apply label, mark read, archive' step or explicitly document that a Gmail tool with write/modify access is required. This is a documentation hygiene issue, not a security concern given no code is present.	`SKILL.md:167`
低危	Memory/conversation history access not declared in capability model 文档欺骗 Phase 3 Level 1 references 'conversation_search' and 'recent_chats' tools to access conversation history and memory. This constitutes filesystem-like or environment-like data access that is not declared in the skill's capability model. However, this is standard agent memory functionality and is standard for autonomous agents. `Use conversation_search and recent_chats tools to find relevant past exchanges` → If the implementing platform exposes these tools, ensure they are declared in the allowed-tools mapping. Otherwise, this is a documentation gap with no current security impact.	`SKILL.md:67`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	Gmail read, web search, Notion API calls — all documented in phases 1, 3, 4, 5
文件系统	`NONE`	`NONE`	—	No filesystem access described or implied
命令执行	`NONE`	`NONE`	—	No shell, subprocess, or command execution described
环境变量	`NONE`	`NONE`	—	No environment variable access described
技能调用	`NONE`	`NONE`	—	No cross-skill invocation described
剪贴板	`NONE`	`NONE`	—	No clipboard access described
浏览器	`NONE`	`NONE`	—	No browser automation described; web search uses API not browser
数据库	`NONE`	`NONE`	—	No database access described

1 项发现

📧

提示邮箱邮箱地址

[email protected]

SKILL.md:5

目录结构

1 文件 · 8.9 KB · 218 行

Markdown 1f · 218L

└─ 📝 SKILL.md Markdown 218L · 8.9 KB

安全亮点

✓ No executable code, scripts, or binaries present — skill is purely a documentation/prompt file

✓ No credential harvesting, API key enumeration, or environment variable access

✓ No network requests to raw IPs, no base64 payloads, no obfuscation

✓ No curl|bash, wget|sh, or remote script execution patterns

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, key files)

✓ No supply chain risk — no dependencies (requirements.txt, package.json, etc.)

✓ Gmail access is explicitly scoped to reading [email protected] notifications — narrow and legitimate

✓ Web search is scoped to research phase only — not used for data exfiltration

✓ Stated purpose (autonomous Notion coworker) matches actual documented behavior