Is notion-skill safe?

The skill includes directives like 'Never modify database schema without explicit confirmation' and 'Prefer append and updates over destructive operations'. While these are safety-positive, they demonstrate the skill's ability to influence agent behavior. A malicious version could replace these with harmful directives.

The skill references external URLs (developers.notion.com, notion.so/my-integrations). These are legitimate Notion documentation pages and are presented as human-readable setup instructions, not as URLs the agent should fetch. However, if an agent were to autonomously follow these links, it could encounter content outside the skill author's control.

The skill requires NOTION_API_KEY to be set as an environment variable. While this is the standard pattern for Notion integrations, the agent will have access to this secret during execution. The skill does not instruct the agent to exfiltrate it, but the key is inherently available in the agent's environment.

The skill assumes the presence of notion-cli (Node.js) or notion-cli-py (Python) but does not bundle or install it. The security posture depends on the trustworthiness of whichever CLI tool the user installs separately. This is noted as an external dependency risk, not a flaw in the skill itself.

Filesystem monitoring detected writes to /tmp/jiti/ during installation. These are standard JIT compilation cache files from the ClawHub CLI toolchain, not initiated by the skill under test.

When the agent reads Notion pages, those pages could contain adversarial content crafted by a third party (indirect prompt injection). The skill itself does not create this risk — it is inherent to any tool that reads user-generated content — but users should be aware that Notion page content could attempt to manipulate agent behavior.