Notion 2025 API Skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Notion API helper that uses your Notion key to read and edit shared Notion content, with some safe-use caveats.

Install only if you want OpenClaw to access and modify the Notion pages or databases you share with the integration. Use a dedicated least-privilege Notion integration, share only specific test or intended workspaces, chmod the token file to 600, review batch updates before running them, and do not pass untrusted text or property names directly into the shell helper.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Rogue AgentSelf-Modification, Session Persistence
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (23)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The document makes strong claims that all user input is validated and safely escaped, but later explicitly warns that passing direct user input to the script is unsafe. This inconsistency can cause operators or downstream agents to overtrust the skill's safety properties and use it in risky ways, leading to malformed requests, injection into generated JSON, or accidental misuse of privileged API credentials.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The checklist and patch notes overstate the implemented protections by claiming validation on all user-provided data, while other sections admit some direct user input patterns remain unsafe. Security documentation that overclaims coverage is dangerous because users may rely on it to process untrusted content, expanding the blast radius of any remaining injection or request-manipulation flaws in the actual skill.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The README includes copy-pastable examples that create pages and update Notion content, but it does not clearly warn users that these commands will make live changes in their remote Notion workspace. In an agent-skill context, this increases the risk of unintended state-changing actions because users or downstream tools may treat examples as safe to run without realizing they are destructive or persistent.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The examples instruct users to read a live Notion API key from a local secrets file and immediately send authenticated requests to Notion, but they do not clearly warn that credentials and workspace metadata/content will be transmitted to an external service. In a documentation context this is expected behavior for an API integration, but the lack of explicit disclosure increases the chance of accidental data exposure during copy/paste use.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Several examples create pages, update properties, append blocks, and batch-modify entries in a real Notion workspace without an explicit warning that they will change remote data. This can lead users to unintentionally alter production content, especially in the batch update example where multiple records are modified in a loop.

External Transmission

Medium

Category: Data Exfiltration
Content: NOTION_KEY=$(cat ~/.openclaw/workspace/secrets/notion_api_key.txt) DATA_SOURCE_ID="YOUR_DATA_SOURCE_ID" # Replace with your actual data source ID curl -s -X POST "https://api.notion.com/v1/data_sources/$DATA_SOURCE_ID/query" \ -H "Authorization: Bearer $NOTION_KEY" \ -H "Notion-Version: 2025-09-03" \ -H "Content-Type: application/json" \
Confidence: 88% confidence
Finding: curl -s -X POST "https://api.notion.com/v1/data_sources/$DATA_SOURCE_ID/query" \ -H "Authorization: Bearer $NOTION_KEY" \ -H "Notion-Version: 2025-09-03" \ -H "Content-Type: application/json" \

External Transmission

Medium

Category: Data Exfiltration
Content: NOTION_KEY=$(cat ~/.openclaw/workspace/secrets/notion_api_key.txt) DATABASE_ID="YOUR_DATABASE_ID" # Blog Series database curl -s -X POST "https://api.notion.com/v1/pages" \ -H "Authorization: Bearer $NOTION_KEY" \ -H "Notion-Version: 2025-09-03" \ -H "Content-Type: application/json" \
Confidence: 91% confidence
Finding: curl -s -X POST "https://api.notion.com/v1/pages" \ -H "Authorization: Bearer $NOTION_KEY" \ -H "Notion-Version: 2025-09-03" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: NOTION_KEY=$(cat ~/.openclaw/workspace/secrets/notion_api_key.txt) ENTRY_ID="YOUR_ENTRY_ID" # Minecraft series entry curl -s -X PATCH "https://api.notion.com/v1/pages/$ENTRY_ID" \ -H "Authorization: Bearer $NOTION_KEY" \ -H "Notion-Version: 2025-09-03" \ -H "Content-Type: application/json" \
Confidence: 90% confidence
Finding: curl -s -X PATCH "https://api.notion.com/v1/pages/$ENTRY_ID" \ -H "Authorization: Bearer $NOTION_KEY" \ -H "Notion-Version: 2025-09-03" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: NOTION_KEY=$(cat ~/.openclaw/workspace/secrets/notion_api_key.txt) PAGE_ID="YOUR_ENTRY_ID" curl -s -X PATCH "https://api.notion.com/v1/blocks/$PAGE_ID/children" \ -H "Authorization: Bearer $NOTION_KEY" \ -H "Notion-Version: 2025-09-03" \ -H "Content-Type: application/json" \
Confidence: 90% confidence
Finding: curl -s -X PATCH "https://api.notion.com/v1/blocks/$PAGE_ID/children" \ -H "Authorization: Bearer $NOTION_KEY" \ -H "Notion-Version: 2025-09-03" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: SEVEN_DAYS_AGO=$(date -u -v-7d +"%Y-%m-%d") # macOS # For Linux: SEVEN_DAYS_AGO=$(date -u -d "7 days ago" +"%Y-%m-%d") curl -s -X POST "https://api.notion.com/v1/data_sources/$DATA_SOURCE_ID/query" \ -H "Authorization: Bearer $NOTION_KEY" \ -H "Notion-Version: 2025-09-03" \ -H "Content-Type: application/json" \
Confidence: 87% confidence
Finding: curl -s -X POST "https://api.notion.com/v1/data_sources/$DATA_SOURCE_ID/query" \ -H "Authorization: Bearer $NOTION_KEY" \ -H "Notion-Version: 2025-09-03" \ -H "Content-Type: application/json" \

External Transmission

Medium

Category: Data Exfiltration
Content: NOTION_KEY=$(cat ~/.openclaw/workspace/secrets/notion_api_key.txt) # Get all Draft series SERIES=$(curl -s -X POST "https://api.notion.com/v1/data_sources/YOUR_DATA_SOURCE_ID/query" \ -H "Authorization: Bearer $NOTION_KEY" \ -H "Notion-Version: 2025-09-03" \ -H "Content-Type: application/json" \
Confidence: 90% confidence
Finding: curl -s -X POST "https://api.notion.com/v1/data_sources/YOUR_DATA_SOURCE_ID/query" \ -H "Authorization: Bearer $NOTION_KEY" \ -H "Notion-Version: 2025-09-03" \ -H "Content-Type: application/json

External Transmission

Medium

Category: Data Exfiltration
Content: # Update each to "In progress" for entry_id in $SERIES; do curl -s -X PATCH "https://api.notion.com/v1/pages/$entry_id" \ -H "Authorization: Bearer $NOTION_KEY" \ -H "Notion-Version: 2025-09-03" \ -H "Content-Type: application/json" \
Confidence: 94% confidence
Finding: curl -s -X PATCH "https://api.notion.com/v1/pages/$entry_id" \ -H "Authorization: Bearer $NOTION_KEY" \ -H "Notion-Version: 2025-09-03" \ -H "Content-Type: application/json" \ -d '{"pr

External Transmission

Medium

Category: Data Exfiltration
Content: NOTION_KEY=$(cat ~/.openclaw/workspace/secrets/notion_api_key.txt) DATA_SOURCE_ID="YOUR_DATA_SOURCE_ID" # Replace with your actual data source ID curl -s -X POST "https://api.notion.com/v1/data_sources/$DATA_SOURCE_ID/query" \ -H "Authorization: Bearer $NOTION_KEY" \ -H "Notion-Version: 2025-09-03" \ -H "Content-Type: application/json" \
Confidence: 88% confidence
Finding: https://api.notion.com/

External Transmission

Medium

Category: Data Exfiltration
Content: NOTION_KEY=$(cat ~/.openclaw/workspace/secrets/notion_api_key.txt) DATABASE_ID="YOUR_DATABASE_ID" # Blog Series database curl -s -X POST "https://api.notion.com/v1/pages" \ -H "Authorization: Bearer $NOTION_KEY" \ -H "Notion-Version: 2025-09-03" \ -H "Content-Type: application/json" \
Confidence: 91% confidence
Finding: https://api.notion.com/

External Transmission

Medium

Category: Data Exfiltration
Content: NOTION_KEY=$(cat ~/.openclaw/workspace/secrets/notion_api_key.txt) ENTRY_ID="YOUR_ENTRY_ID" # Minecraft series entry curl -s -X PATCH "https://api.notion.com/v1/pages/$ENTRY_ID" \ -H "Authorization: Bearer $NOTION_KEY" \ -H "Notion-Version: 2025-09-03" \ -H "Content-Type: application/json" \
Confidence: 90% confidence
Finding: https://api.notion.com/

External Transmission

Medium

Category: Data Exfiltration
Content: NOTION_KEY=$(cat ~/.openclaw/workspace/secrets/notion_api_key.txt) PAGE_ID="YOUR_ENTRY_ID" curl -s -X PATCH "https://api.notion.com/v1/blocks/$PAGE_ID/children" \ -H "Authorization: Bearer $NOTION_KEY" \ -H "Notion-Version: 2025-09-03" \ -H "Content-Type: application/json" \
Confidence: 90% confidence
Finding: https://api.notion.com/

External Transmission

Medium

Category: Data Exfiltration
Content: SEVEN_DAYS_AGO=$(date -u -v-7d +"%Y-%m-%d") # macOS # For Linux: SEVEN_DAYS_AGO=$(date -u -d "7 days ago" +"%Y-%m-%d") curl -s -X POST "https://api.notion.com/v1/data_sources/$DATA_SOURCE_ID/query" \ -H "Authorization: Bearer $NOTION_KEY" \ -H "Notion-Version: 2025-09-03" \ -H "Content-Type: application/json" \
Confidence: 87% confidence
Finding: https://api.notion.com/

External Transmission

Medium

Category: Data Exfiltration
Content: NOTION_KEY=$(cat ~/.openclaw/workspace/secrets/notion_api_key.txt) # Get all Draft series SERIES=$(curl -s -X POST "https://api.notion.com/v1/data_sources/YOUR_DATA_SOURCE_ID/query" \ -H "Authorization: Bearer $NOTION_KEY" \ -H "Notion-Version: 2025-09-03" \ -H "Content-Type: application/json" \
Confidence: 90% confidence
Finding: https://api.notion.com/

External Transmission

Medium

Category: Data Exfiltration
Content: # Update each to "In progress" for entry_id in $SERIES; do curl -s -X PATCH "https://api.notion.com/v1/pages/$entry_id" \ -H "Authorization: Bearer $NOTION_KEY" \ -H "Notion-Version: 2025-09-03" \ -H "Content-Type: application/json" \
Confidence: 94% confidence
Finding: https://api.notion.com/

External Transmission

Medium

Category: Data Exfiltration
Content: SERIES_DB="YOUR_DATABASE_ID" # Step 1: Create series entry SERIES_ID=$(curl -s -X POST "https://api.notion.com/v1/pages" \ -H "Authorization: Bearer $NOTION_KEY" \ -H "Notion-Version: 2025-09-03" \ -H "Content-Type: application/json" \
Confidence: 90% confidence
Finding: https://api.notion.com/

External Transmission

Medium

Category: Data Exfiltration
Content: # Security: Properly escape title using jq local escaped_title=$(echo "$title" | jq -Rs '.') local response=$(curl -s -X POST "$BASE_URL/pages" \ -H "Authorization: Bearer $NOTION_KEY" \ -H "Notion-Version: $API_VERSION" \ -H "Content-Type: application/json" \
Confidence: 95% confidence
Finding: curl -s -X POST "$BASE_URL/pages" \ -H "Authorization: Bearer $NOTION_KEY" \ -H "Notion-Version: $API_VERSION" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: exit 1 fi local response=$(curl -s -X PATCH "$BASE_URL/pages/$page_id" \ -H "Authorization: Bearer $NOTION_KEY" \ -H "Notion-Version: $API_VERSION" \ -H "Content-Type: application/json" \
Confidence: 99% confidence
Finding: curl -s -X PATCH "$BASE_URL/pages/$page_id" \ -H "Authorization: Bearer $NOTION_KEY" \ -H "Notion-Version: $API_VERSION" \ -H "Content-Type: application/json" \ -d

Session Persistence

Medium

Category: Rogue Agent
Content: }' | jq '.results[]' ``` ### Create a Database Entry ```bash DATABASE_ID="your_database_id"
Confidence: 84% confidence
Finding: Create a Database Entry ```bash DATABASE_ID="your_database_id" curl -s -X POST "https://api.notion.com/v1/pages" \ -H "Authorization: Bearer $(cat ~/.openclaw

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal