Is notion safe?

The skill instructs users to store their Notion API key in a plaintext file at ~/.config/notion/api_key and then read it via $(cat ~/.config/notion/api_key) in curl commands. This means the key appears in shell command arguments (visible in ps output and shell history) and is stored without filesystem encryption or access controls. While this is a common pattern in API documentation, it creates a credential that any process on the system can read.

The skill instructs sending the API key to api.notion.com endpoints. While this is the legitimate and intended use, it means the agent will be making authenticated external API calls. The risk is low since the target is Notion's official API, but users should be aware their agent will be making authenticated requests to an external service.

The skill provides comprehensive CRUD operations for Notion (search, create, update, delete pages and databases) without any scope limitations or guardrails. While not malicious, this gives an agent broad write access to a user's Notion workspace. A prompt injection from another source could leverage these capabilities to modify or delete Notion content.

The skill contains numerous bash code blocks with curl commands. These are documentation-style examples intended to be executed by the agent. While they only target api.notion.com, the pattern of providing executable bash templates means the agent will run shell commands. The commands themselves are safe and standard API calls.

If combined with a malicious skill that can read ~/.config/notion/api_key or intercept curl commands, the Notion API key could be exfiltrated. The skill itself is benign, but the credential storage pattern creates a target for other malicious skills.