Notion
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a documentation-only Notion helper, but using it requires a Notion API key that can read and modify the Notion pages or databases you share with the integration.
Install this only if you want the agent to work with Notion. Create a dedicated Notion integration, share only the pages or databases it needs, keep the API key private, and confirm any operation that creates or changes Notion content.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent using this key can access and modify the Notion content shared with the integration.
The skill clearly requires a Notion integration credential and stores it locally for API calls. This is expected for the Notion API, but the key can access any pages or databases shared with that integration.
Copy the API key (starts with `ntn_` or `secret_`) ... echo "ntn_your_key_here" > ~/.config/notion/api_key
Use a dedicated Notion integration, share only the specific pages or databases needed, protect the key file, and revoke or rotate the key if it is no longer needed.
The agent could create or update Notion pages, databases, and blocks if given the API key and target IDs.
The instructions include raw Notion API mutation operations such as updating page properties and adding blocks. These operations are purpose-aligned, but they can change user workspace content.
curl -X PATCH "https://api.notion.com/v1/pages/{page_id}" ... -d '{"properties": {"Status": {"select": {"name": "Done"}}}}'Review and confirm page/database IDs and request bodies before running mutating POST or PATCH requests, especially in shared workspaces.