Notion Agent

ReviewAudited by ClawScan on May 10, 2026.

Overview

This is a straightforward Notion integration that can read and change Notion content you share with it, with no hidden behavior evident in the provided code.

Install only if you are comfortable letting an agent operate on selected Notion pages and databases. Use a dedicated Notion integration, share only the resources needed, protect the NOTION_TOKEN, and double-check page archive/delete or database update actions.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI02: Tool Misuse and Exploitation

What this means

An agent using this skill can create, update, append to, and archive Notion content that the integration can access.

Why it was flagged

The skill exposes Notion mutation actions, including archiving a page. This is purpose-aligned for a Notion management skill, but it can affect real workspace content.

Skill content

**Delete (archive) a page:**
```bash
uv run {baseDir}/scripts/notion.py page delete <page_id>
```

Recommendation

Share only the needed Notion pages or databases with the integration, and review or require confirmation for update, add, and archive/delete actions.

Medium

#ASI03: Identity and Privilege Abuse

What this means

Anyone or any agent process with access to the token can act on Notion resources shared with that integration.

Why it was flagged

The code reads the Notion integration token from the environment and uses it as a bearer token for Notion API calls. This is expected, but it grants the skill the integration's Notion permissions.

Skill content

self.token = token or os.getenv("NOTION_TOKEN") ... "Authorization": f"Bearer {self.token}"

Recommendation

Use a dedicated Notion integration token, keep it out of logs and shared shells, and grant the integration access only to the minimum pages and databases needed.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

The skill may depend on whatever compatible requests package version is resolved in the user's environment.

Why it was flagged

The runtime dependency is specified with a lower-bound version instead of a lock-pinned version, so uv may resolve a newer package version when run.

Skill content

dependencies = [
    "requests>=2.31.0",
]

Recommendation

Run in a trusted Python environment and consider pinning or locking dependencies if reproducibility is important.