Is dongkukim/notion-2026-01-15 safe?

The SKILL.md file begins with 'Here is the complete SKILL.md file updated for the January 15, 2026 API state.' and encloses its actual instructions inside a markdown code block. When this content is injected into an LLM agent's system prompt, it appears to originate from an AI assistant explaining a file rather than being authoritative system configuration. This degrades instruction authority and could make the agent treat the content as lower-priority context rather than binding operational rules.

Six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened and read in two clusters during the audit period. The timing aligns strongly with oathe infrastructure operations (pre-install baseline scan and post-install verification), and the canary integrity check confirmed no exfiltration occurred. However, the access pattern is recorded and warrants transparency.

The skill documents several API endpoints (notably POST /v1/pages/{id}/move, GET /v1/data_sources/{id}/templates) that may not exist in the stated Notion-Version: 2025-09-03. An agent following these instructions could make API calls to nonexistent endpoints, trigger unexpected error handling, or be misled about Notion's actual capabilities.

By design, this skill gives an agent authenticated write access to Notion via the user's stored API key. A malicious system prompt or secondary injection could instruct the agent to use the Notion write API (create page, add blocks) to exfiltrate gathered data to an attacker-controlled Notion workspace under the guise of 'saving notes'.

Install process performed a standard shallow git clone from github.com/openclaw/skills, used sparse checkout to extract only the target skill path, copied files, and cleaned up the temporary clone. No anomalous behavior observed.