Notion Sync
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate Notion sync tool, but using it can copy many local files into Notion and overwrite Notion page content, so users should review the directory, ignores, and token handling.
Install only if you trust the npm package and author. Before syncing, use a dedicated Notion root page, run a dry-run, and add ignore rules for secrets or private files. Keep `.notion-sync.json` out of version control because it stores the Notion token.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A sync to the wrong Notion root page, or a filename collision with existing pages, could replace content the user did not intend to overwrite.
When a matching Notion page already exists, the sync process deletes its current child blocks and appends the local file content. This is purpose-aligned, but it is a real mutation of Notion content.
for (const b of existing.results) {
await client.blocks.delete({ block_id: b.id });
}
if (blocks.length > 0) {
await client.blocks.children.append({ block_id: pageId, children: blocks });Use a dedicated Notion root page for syncs, run `notion-sync sync --dry-run` first, and avoid manually editing pages that the tool manages.
Anyone who can read the config file may be able to use the Notion integration token for pages shared with that integration.
The tool requires a Notion integration token and stores it in a local JSON config file. This is expected for a Notion sync tool, but it is still delegated account access.
notion-sync init --token ntn_xxx --page <notion-page-id> [--dir <path>] ... `.notion-sync.json`: ... "notion": { "token": "ntn_...", "rootPageId": "page-id" }Keep `.notion-sync.json` private, do not commit it to version control, and use a Notion integration that is shared only with the intended root page.
Files in the selected workspace may become visible in Notion to people or automations with access to the target page.
Local file contents are persisted into Notion pages, and the default ignore list is limited. This is the core purpose, but it can expose private or sensitive files if the chosen directory is too broad.
CLI and library for syncing a local directory tree into Notion. Folders become Notion pages, files become sub-pages with content. ... Default Ignore Patterns `node_modules`, `.git`, `dist`, `.notion-sync.json`, `*.lock`, `*.log`
Review the directory before syncing, add ignore patterns for secrets such as `.env` or private notes, and use dry-run to preview what would be uploaded.
If the npm package or generated build differs from the reviewed source, the installed CLI could behave differently.
The CLI entry point runs generated `dist` code, while the supplied artifacts primarily show source files. This is common for npm packages, but the installed runtime should come from a trusted package/version.
#!/usr/bin/env node
import('../dist/cli.js');Install only from the expected npm package and version, and prefer a pinned version if using this in a sensitive environment.