Vibe Notion
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: vibe-notion Version: 1.5.0 The skill bundle facilitates Notion interaction via an unofficial private API, which involves high-risk automated extraction of 'token_v2' credentials from the Notion desktop app's local storage and system Keychain (on macOS). While this behavior is aligned with the stated purpose of the 'vibe-notion' CLI, the practice of programmatically accessing sensitive third-party application data and storing it in '~/.config/vibe-notion/credentials.json' presents a significant security risk. Additionally, 'SKILL.md' instructs the agent to maintain a persistent 'MEMORY.md' file for workspace metadata, which increases the local attack surface for sensitive information disclosure.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and using this skill can give the CLI user-level access to the user's Notion workspaces, including private pages and workspace mutations.
The skill uses the user's Notion desktop session token, acts with the user's identity, and persists that credential locally, while registry metadata declares no primary credential.
Auth | `token_v2` auto-extracted from Notion desktop app ... Identity | Acts as the user ... The extracted `token_v2` is stored at `~/.config/vibe-notion/credentials.json`
Use only if you trust this package with your Notion account; prefer the official Notion API/integration-token flow where possible, and inspect or remove `~/.config/vibe-notion/credentials.json` if you uninstall.
The agent could modify or delete Notion database structure based on generated hints rather than a direct user request.
The skill tells the agent to execute suggested commands from CLI output, including destructive database property deletion, without requiring explicit user review.
When `$hints` is present: Read each hint carefully and execute the suggested fix commands ... Fix: run `database delete-property <database_id> ...`
Treat hints as advisory only; require explicit user confirmation before delete, archive, replace-content, schema-change, comment-posting, or bulk batch operations.
Workspace identifiers, page/database names, and user preferences may persist across tasks and influence later actions even when the current user did not restate them.
The skill creates cross-session persistent memory for Notion workspace structure and preferences, but does not define retention, consent, validation, or poisoning controls.
At the start of every task, read `~/.config/vibe-notion/MEMORY.md` ... After discovering useful information, update ... Workspace IDs ... Page IDs ... Database/collection IDs ... User-given aliases
Review this memory file periodically, delete stale or sensitive entries, and avoid storing page contents or confidential workspace details unless the user explicitly wants that.
The most sensitive code path is not reviewable from the provided artifacts, so the user must trust the external package with Notion account access.
The main CLI is installed from an external npm package with no source/homepage provided in the registry context, and that CLI is responsible for private API access and token handling.
Source: unknown; Homepage: none; Install specifications: node | package: vibe-notion | creates binaries: vibe-notion
Audit the npm package and its source before use, pin a known-good version, and avoid installing it in environments where Notion workspace access is highly sensitive.