notion
Integrates with Notion API and CLI for managing pages, databases, and markdown content efficiently.
Install this skill
Security score
The notion skill was audited on May 17, 2026 and we found 51 security issues across 5 threat categories, including 3 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 360 | execute: async ({ name }) => `Hello, ${name}!`, |
Piping content to bash shell
| 39 | curl -fsSL https://ntn.dev | bash |
Curl to non-GitHub URL
| 39 | curl -fsSL https://ntn.dev | bash |
Curl to non-GitHub URL
| 158 | curl -s -X GET "https://api.notion.com/v1/..." \ |
Curl to non-GitHub URL
| 168 | curl -s -X POST "https://api.notion.com/v1/search" \ |
Curl to non-GitHub URL
| 177 | curl -s "https://api.notion.com/v1/pages/{page_id}" \ |
Curl to non-GitHub URL
| 187 | curl -s "https://api.notion.com/v1/pages/{page_id}/markdown" \ |
Curl to non-GitHub URL
| 194 | curl -s "https://api.notion.com/v1/blocks/{page_id}/children" \ |
Curl to non-GitHub URL
| 204 | curl -s -X POST "https://api.notion.com/v1/pages" \ |
Curl to non-GitHub URL
| 217 | curl -s -X PATCH "https://api.notion.com/v1/pages/{page_id}/markdown" \ |
Curl to non-GitHub URL
| 226 | curl -s -X POST "https://api.notion.com/v1/pages" \ |
Curl to non-GitHub URL
| 241 | curl -s -X POST "https://api.notion.com/v1/data_sources/{data_source_id}/query" \ |
Curl to non-GitHub URL
| 253 | curl -s -X POST "https://api.notion.com/v1/data_sources" \ |
Curl to non-GitHub URL
| 270 | curl -s -X PATCH "https://api.notion.com/v1/pages/{page_id}" \ |
Curl to non-GitHub URL
| 279 | curl -s -X PATCH "https://api.notion.com/v1/blocks/{page_id}/children" \ |
Curl to non-GitHub URL
| 293 | curl -s -X POST "https://api.notion.com/v1/file_uploads" \ |
Webhook reference - potential data exfiltration
| 333 | - **Webhooks** — receive HTTP events from external services (GitHub, Stripe, etc.) and act in Notion. |
Webhook reference - potential data exfiltration
| 364 | ### Webhook capability |
Webhook reference - potential data exfiltration
| 367 | worker.webhook("onGithubPush", { |
Webhook reference - potential data exfiltration
| 378 | After deploy: `ntn workers webhooks list` shows the URL Notion generates. Treat that URL as a secret — anyone with it can POST events unless you add signature verification. |
Webhook reference - potential data exfiltration
| 388 | ntn workers env set GITHUB_WEBHOOK_SECRET=... |
Webhook reference - potential data exfiltration
| 391 | ntn workers webhooks list |
Webhook reference - potential data exfiltration
| 438 | | Build a sync / webhook / agent tool hosted by Notion | `ntn workers ...` | WSL2 + `ntn workers ...` | |
Access to hidden dotfiles in home directory
| 29 | 3. Store in `~/.hermes/.env`: |
Access to hidden dotfiles in home directory
| 53 | Add those exports to your shell profile (or to `~/.hermes/.env`) so every session inherits them. |
Access to hidden dotfiles in home directory
| 150 | | `NOTION_KEYRING=0` | File-based creds at `~/.config/notion/auth.json` instead of OS keychain | |
Access to .env file
| 29 | 3. Store in `~/.hermes/.env`: |
Access to .env file
| 53 | Add those exports to your shell profile (or to `~/.hermes/.env`) so every session inherits them. |
Access to system keychain/keyring
| 50 | export NOTION_KEYRING=0 # don't try to use the OS keychain |
Access to system keychain/keyring
| 149 | | `NOTION_API_TOKEN` | Auth token (overrides keychain) — set this to your integration token | |
Access to system keychain/keyring
| 150 | | `NOTION_KEYRING=0` | File-based creds at `~/.config/notion/auth.json` instead of OS keychain | |
External URL reference
| 13 | homepage: https://developers.notion.com |
External URL reference
| 27 | 1. Create an integration at https://notion.so/my-integrations |
External URL reference
| 39 | curl -fsSL https://ntn.dev | bash |
External URL reference
| 140 | ntn files create --external-url https://example.com/photo.png |
External URL reference
| 158 | curl -s -X GET "https://api.notion.com/v1/..." \ |
External URL reference
| 168 | curl -s -X POST "https://api.notion.com/v1/search" \ |
External URL reference
| 177 | curl -s "https://api.notion.com/v1/pages/{page_id}" \ |
External URL reference
| 187 | curl -s "https://api.notion.com/v1/pages/{page_id}/markdown" \ |
External URL reference
| 194 | curl -s "https://api.notion.com/v1/blocks/{page_id}/children" \ |
External URL reference
| 204 | curl -s -X POST "https://api.notion.com/v1/pages" \ |
External URL reference
| 217 | curl -s -X PATCH "https://api.notion.com/v1/pages/{page_id}/markdown" \ |
External URL reference
| 226 | curl -s -X POST "https://api.notion.com/v1/pages" \ |
External URL reference
| 241 | curl -s -X POST "https://api.notion.com/v1/data_sources/{data_source_id}/query" \ |
External URL reference
| 253 | curl -s -X POST "https://api.notion.com/v1/data_sources" \ |
External URL reference
| 270 | curl -s -X PATCH "https://api.notion.com/v1/pages/{page_id}" \ |
External URL reference
| 279 | curl -s -X PATCH "https://api.notion.com/v1/blocks/{page_id}/children" \ |
External URL reference
| 293 | curl -s -X POST "https://api.notion.com/v1/file_uploads" \ |
External URL reference
| 316 | - **URL:** `{"url": "https://..."}` |
External URL reference
| 394 | When asked to build a Worker, scaffold with `ntn workers new`, write the code in `src/index.ts`, set any secrets with `ntn workers env set`, and deploy. Notion's docs at https://developers.notion.com/ |
External URL reference
| 424 | - Citations: `[^https://example.com]` |