Trust Assessment
notion received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 2 high, 2 medium, and 0 low severity. Key findings include Command Injection via external CLI execution, Unpinned external CLI dependency introduces supply chain risk, Potential for data exfiltration via Notion read operations.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 56/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Command Injection via external CLI execution The skill explicitly documents and expects the agent to execute `notion-cli` commands. If arguments such as `<page_id>`, `--markdown "..."`, `--filter <json>`, `--props <json>`, or `--desired <json>` are derived directly from untrusted user input without proper sanitization, an attacker could inject arbitrary shell commands, leading to remote code execution or data manipulation. Implement robust input validation and sanitization for all arguments passed to `notion-cli`. Use a safe command execution library or function that prevents shell injection by passing arguments as a list (e.g., `subprocess.run` in Python with `shell=False`), rather than a single string. | LLM | SKILL.md:44 | |
| HIGH | Unpinned external CLI dependency introduces supply chain risk The skill relies on an external `notion-cli` (Node.js) or `notion-cli-py` (Python) tool, as indicated in both the manifest and the skill documentation. The manifest does not specify version pinning for this dependency, making the skill vulnerable to supply chain attacks if a malicious or vulnerable version of the CLI tool is installed or updated. This could lead to compromised execution environments or data. Pin the versions of `notion-cli` (or `notion-cli-py`) to specific, known-good versions. Regularly audit the chosen CLI tool for vulnerabilities and update only after thorough verification. Consider wrapping CLI calls in a more controlled, sandboxed environment. | LLM | SKILL.md:5 | |
| MEDIUM | Potential for data exfiltration via Notion read operations The skill provides commands like `notion-cli page get <page_id>` and `notion-cli db query <database_id>` which can retrieve potentially sensitive data from Notion. If the agent can be prompted to read confidential information and then output it or transmit it to an unauthorized destination (e.g., via another tool or direct LLM output), it poses a data exfiltration risk. Implement strict output filtering and content moderation for any data retrieved from Notion. Restrict the agent's ability to output raw data, especially if it's sensitive. Ensure the LLM's context window is not used to store or transmit sensitive data unnecessarily. Consider redacting or summarizing sensitive information before output. | LLM | SKILL.md:38 | |
| MEDIUM | Excessive permissions granted by NOTION_API_KEY The `NOTION_API_KEY` grants access to Notion, and the skill's documented commands (e.g., `db schema apply`, `page create`, `page update`, `block append`) allow for significant modification and creation of content. If the API key has broad permissions, an attacker could manipulate the agent to perform unauthorized or destructive actions within Notion, such as deleting pages, modifying database schemas, or creating malicious content. Apply the principle of least privilege to the `NOTION_API_KEY`. Configure the Notion integration with the minimum necessary permissions required for the skill's intended functionality. Implement human-in-the-loop confirmation for highly sensitive or destructive operations (e.g., schema changes, mass deletions). | LLM | SKILL.md:15 |
Scan History
Embed Code
[](https://skillshield.io/report/12df13c10b6cf6c1)
Powered by SkillShield