Is notion safe?

https://clawhub.ai/steipete/notion

82
SAFE

This is a documentation-only Notion API reference skill containing no executable code, no prompt injection vectors, and no malicious behaviors. The only notable risks are inherent to its credential-handling pattern: it stores a Notion API key in plaintext on disk at a well-known path and instructs the agent to read and transmit it. These are standard integration patterns but create a credential surface that other skills could potentially access.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (6)

LOW Plaintext API key storage on disk -15

The skill's setup instructions direct the user to store their Notion API key in plaintext at ~/.config/notion/api_key. While this is a common pattern for CLI integrations, it creates a well-known credential path that other skills or processes could read.

LOW Agent reads credential and sends to external API -15

The skill instructs the agent to read the API key via $(cat ~/.config/notion/api_key) and include it in Authorization headers sent to api.notion.com. This is the intended functionality but means the agent will handle credentials in shell variables during execution.

INFO No prompt injection vectors detected -10

The SKILL.md contains only legitimate Notion API documentation with code examples. No hidden instructions, persona manipulation, or instruction overrides were found.

INFO Documentation-only skill with no executable code -10

The skill package contains only SKILL.md, _meta.json, and origin.json. No executable files, install scripts, git hooks, or symlinks are present. The bash snippets are instructional examples interpreted by the agent at runtime.

LOW Well-known credential path enables cross-skill credential access -35

By establishing ~/.config/notion/api_key as a well-known credential location, any other skill or process with filesystem access could read this key. This is an inherent risk of file-based credential storage, not a malicious design.

INFO Runtime environment accessed .aws/credentials during bootstrap -15

The filesystem monitoring shows .aws/credentials was accessed during the openclaw runtime initialization. This is attributable to the execution environment's AWS SDK credential chain resolution, not to the skill itself.