notion-agent-memory
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Raw secrets or instructions for using them could persist across sessions and be exposed to future agents, workspace collaborators, or anyone with access to the memory files or Notion pages.
The memory guidance explicitly encourages saving credentials and usage details in persistent notes, but does not specify redaction, secret-manager use, file permissions, or Notion sharing limits.
Don't just save credentials → document how to use them with examples
Do not store raw credentials in MEMORY.md, AGENTS.md, or Notion. Store only references to a password manager, vault, or environment variable, and restrict the Notion integration to the minimum pages needed.
If implemented, an agent could keep monitoring messages, calendars, or notifications after the user’s immediate task is over.
The heartbeat template encourages recurring autonomous checks and background jobs that continue beyond the immediate session, without defining exact accounts, permissions, approval steps, or stop conditions.
Check email/calendar every 2 hours while awake - Monitor for urgent notifications - Use cron jobs for background tasks that survive session breaks
Treat heartbeat/cron behavior as opt-in only. Define exact services, schedules, allowed actions, logging, and a clear way to disable it before enabling any background checks.
Future agent sessions may rely on saved instructions or context that the user did not intend to make permanent.
Persistent memory and self-updating instruction files are central to the skill, but they can influence future sessions if inaccurate, stale, overly sensitive, or malicious content is added.
Every time you begin: 1. Read MEMORY.md ... Update the Instructions ... update this file. Next time starts smarter.
Review memory and instruction changes regularly, label sources and dates, avoid storing secrets or sensitive personal data, and treat saved memory as lower priority than direct user and system instructions.
An agent with the Notion token could add or modify memory entries in shared Notion pages or databases that the integration can access.
The Notion integration examples include creating and updating Notion pages. This is expected for a memory system, but it is still mutation authority over a third-party workspace.
Create a Page ... curl -s -X POST "https://api.notion.com/v1/pages" ... Update a Page ... curl -s -X PATCH "https://api.notion.com/v1/pages/$PAGE_ID"
Share only the specific Notion pages/databases needed with the integration, review write actions, and use a dedicated low-privilege Notion integration.