Notion API Tools
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a straightforward Notion API CLI, but it uses a Notion token and can perform write operations on shared Notion content.
Before using this skill, create a Notion integration token with the narrowest access possible and share only the pages/databases you need. Treat create-page, append-blocks, and update-block as write operations that can change workspace content, and confirm them before allowing an agent to run them.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the token is shared with sensitive Notion pages or databases, the skill can access and potentially modify that content through the Notion API.
The skill intentionally uses a Notion integration token. This is expected for the stated purpose, but it gives the CLI whatever read/write access the integration has to shared Notion pages/databases.
Provide a Notion integration token via either: - `NOTION_KEY` env var, or - `~/.config/notion/api_key`
Use a least-privilege Notion integration, share only the pages/databases needed, and rotate the token if it may have been exposed.
An agent using this skill with a valid token could change existing Notion page/block content if given block IDs and write permissions.
The executable exposes Notion block append/update operations with caller-supplied JSON bodies. These are purpose-adjacent, but broader than the main SKILL.md command examples.
append-blocks --block-id <BLOCK_ID> --body '{"children": [...]}'
update-block --block-id <BLOCK_ID> --body '{...}'Review and confirm write commands before running them, and document all mutation commands clearly in the skill instructions.
Users have limited provenance information for deciding whether this is the expected Notion CLI code.
The provided artifacts show no installer or external dependencies, but they also do not identify an upstream source or homepage for provenance.
Source: unknown Homepage: none No install spec — this is an instruction-only skill.
Inspect the included script before use and prefer installing skills from a known, version-controlled source when possible.