Trust Assessment
notion received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include Dependency Confusion / Typosquatting Risk, Excessive Permissions: Arbitrary File Upload.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Dependency Confusion / Typosquatting Risk The skill's manifest specifies `npm install -g @jordancoin/notioncli` for installation, indicating the intended package. However, both the `SKILL.md` documentation and the `install.sh` script instruct `npm install -g notioncli`. This discrepancy creates a critical supply chain risk. An attacker could publish a malicious package named `notioncli` to the public npm registry, which would be installed instead of the intended `@jordancoin/notioncli` package, leading to arbitrary code execution or other compromises during skill installation. Ensure consistency across all installation instructions. If `@jordancoin/notioncli` is the correct package, update `SKILL.md` and `install.sh` to use `npm install -g @jordancoin/notioncli`. If `notioncli` is the correct package, update the manifest's `install` field accordingly and verify the authenticity of the `notioncli` package on npm. | LLM | SKILL.md:10 | |
| HIGH | Excessive Permissions: Arbitrary File Upload The `notion upload` command explicitly allows the skill to read and upload arbitrary local files (e.g., `./report.pdf`, `./screenshot.png`) from the agent's filesystem to Notion. If an attacker can manipulate the filename argument provided to this command, they could potentially exfiltrate sensitive files from the agent's environment. This grants broad filesystem read access that may not be necessary or intended for all skill operations. Restrict the `upload` command's capabilities to specific directories or file types if possible. Implement strict validation and sanitization of any user-provided file paths before constructing and executing the `notion upload` command. Consider if direct file system access for uploads is truly required, or if an alternative, more controlled mechanism could be used. | LLM | SKILL.md:198 |
Scan History
Embed Code
[](https://skillshield.io/report/8d3328b0e838fb79)
Powered by SkillShield