Security Audit
21-DOT-DEV/openclaw-skills:skills/notion-cli
github.com/21-DOT-DEV/openclaw-skillsTrust Assessment
21-DOT-DEV/openclaw-skills:skills/notion-cli received a trust score of 70/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 2 high, 1 medium, and 0 low severity. Key findings include Unpinned `notion-cli` dependencies, Potential for Command Injection via CLI arguments, Risk of Over-privileged Notion Integration Token.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on April 1, 2026 (commit 388d7666). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned `notion-cli` dependencies The installation instructions for `notion-cli` use unpinned versions for both Homebrew (`brew install salmonumbrella/tap/notion-cli`) and npm (`npm install -g notion-cli`). This means that future installations could pull any version of the `notion-cli` package, including potentially malicious or vulnerable versions, without explicit review. This introduces a supply chain risk where a compromise of the upstream `notion-cli` project could directly impact the security of the agent's environment. Pin the `notion-cli` dependency to a specific version or commit hash in the installation instructions to ensure deterministic and reproducible builds. For npm, use `npm install -g notion-cli@<version>`. For Homebrew, consider using a specific tap version or a custom formula if version pinning is not directly supported. | LLM | SKILL.md:25 | |
| HIGH | Potential for Command Injection via CLI arguments The skill wraps the `notion` CLI, exposing various commands that take arguments (e.g., `--query`, `--title`, `--value`, `<PAGE_ID>`, `<DATABASE_ID>`). If an AI agent constructs these commands using untrusted input (e.g., from user prompts, Notion page content, or other external sources) without proper sanitization or validation, it could lead to command injection. An attacker could embed shell metacharacters or malicious commands within these arguments, potentially executing arbitrary code on the host system. The skill explicitly warns about treating Notion content as untrusted data, which implicitly acknowledges this risk. The AI agent using this skill must implement robust input sanitization and validation for all arguments passed to the `notion` CLI, especially when these arguments originate from untrusted sources. Consider using a library that safely escapes shell arguments or validating input against expected formats (e.g., UUIDs for IDs, alphanumeric for titles, etc.). The skill developer should also consider providing a wrapper function that handles this sanitization automatically. | LLM | SKILL.md:65 | |
| MEDIUM | Risk of Over-privileged Notion Integration Token The skill documentation advises users to "Only share the specific pages and databases the agent needs with the integration. Do not share the entire workspace." This indicates that the Notion integration token, if misconfigured, could be granted excessive read/write permissions across an entire Notion workspace. While the skill provides good advice, the potential for user error in configuration could lead to a highly privileged token being used, increasing the blast radius in case of compromise or misuse. Emphasize the principle of least privilege even more strongly. If possible, provide guidance on how to programmatically verify the scope of the integration token or suggest tools that can help manage and restrict Notion integration permissions. For the agent, ensure it only requests access to the minimum necessary resources. | LLM | SKILL.md:120 |
Scan History
Embed Code
[](https://skillshield.io/report/e14316332330fc60)
Powered by SkillShield