Notion API Skill

Name: agent-skills/notion-api
Author: intellectronica

View on GitHub↗

Share on X Share on LinkedIn Share on Bluesky

100Critical

This instructional skill describes using `curl` and `jq

ThreatsCI SM CS BC S HITL

Behavior Analysis

Mismatch detected — The skill's stated purpose implies it 'enables interaction' and 'uses `curl` and `jq`' for direct REST calls. However, the content is purely instructional, providing examples of `curl` commands. The skill itself does not execute any commands or interact with the Notion API; it only describes how a user or another system *could* do so.

Claims to do

Notion API Skill: This skill enables interaction with Notion workspaces through the Notion REST API. Use `curl` and `jq` for direct REST calls, or write ad-hoc scripts as appropriate for the task.

Actually does

This skill provides detailed instructions and `curl` examples for interacting with the Notion REST API. It outlines how to use `curl` and `jq` to perform operations like searching, creating, retrieving, updating, and deleting Notion pages, blocks, databases, data sources, users, and comments. It requires a `NOTION_API_TOKEN` (from environment or user input) and contacts `https://api.notion.com/v1/*` endpoints.

Threat Analysis

AI Agent Traps ↗Scanned 5/5/2026

Content InjectionPerceptionclean

Semantic ManipulationReasoning1 finding

Cognitive StateMemory & Learning1 finding

Behavioural ControlAction3 findings

SystemicMulti-Agent Dynamicsclean

Human-in-the-LoopHuman Overseer1 finding

Skill Info

Nameintellectronica/agent-skills/notion-api

Registrygithub

Version9b0e00ad1b94

PURLpkg:github/intellectronica/agent-skills@9b0e00ad1b94?skill=notion-api

Stars257

Installs22,500

Source

Repository ↗SKILL.md ↗

SHA-256cad2c5f98f06...

SHA-1ba53338414bd...

MD5de0e1e1e21b8...

TLSHf462b676b461...

ssdeep192:cwuXOvYi...

Size14,675 bytes

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

GitHub

https://github.com/intellectronica/agent-skills

22,500 installs

Claude CodeDocs

/plugin marketplace add intellectronica/agent-skills

/plugin install notion-api@intellectronica/agent-skills

Skills.shDocs

npx skills add https://github.com/intellectronica/agent-skills

Assessments (4)

AI Agent Traps ↗

Command Execution via curl and jqcriticalcommand execution

The skill explicitly instructs the agent to use `curl` and `jq` for direct REST calls, implying shell command execution capability. This allows an attacker to potentially execute arbitrary commands if prompt input is not properly sanitized.

100% confidenceline 12

Use `curl` and `jq` for direct REST calls, or write ad-hoc scripts as appropriate for the task.

Potential for Credential Theft via Command Manipulationhighcredential theft

The Notion API token (`$NOTION_API_TOKEN`) is directly used in `curl` commands. If these commands can be manipulated via prompt injection, the token could be exposed or exfiltrated to an attacker-controlled endpoint.

90% confidenceline 29

-H "Authorization: Bearer $NOTION_API_TOKEN"

SSRF and Data Exfiltration via curlhighssrf, data exfiltration

The skill's reliance on `curl` for making HTTP requests presents a risk for Server-Side Request Forgery (SSRF) or data exfiltration if an attacker can manipulate the target URL or request body through prompt injection.

90% confidenceline 95

curl -s -X POST "https://api.notion.com/v1/search"

Description Mismatchhighdescription mismatch

The skill's stated purpose implies it 'enables interaction' and 'uses `curl` and `jq`' for direct REST calls. However, the content is purely instructional, providing examples of `curl` commands. The skill itself does not execute any commands or interact with the Notion API; it only describes how a user or another system *could* do so.

85% confidence

The skill content consists entirely of markdown documentation, explanations, and `curl` command examples. There are no executable scripts or functions within the skill that would directly run `curl` or `jq`.

Bypass of Human Confirmation for Destructive Operationsmediumoversight evasion

The skill relies on the agent to ask for user confirmation before executing destructive operations. This is a guideline that could be bypassed by a malicious prompt, leading to unauthorized data modification or deletion.

80% confidenceline 79

IMPORTANT: Before executing any operation that modifies or deletes data, ask the user for confirmation.

Credential Harvesting Mechanismmediumcredential harvesting

The skill instructs the agent to request the API key from the user if it's not available. This mechanism could be exploited by a malicious prompt to harvest credentials, especially when combined with command execution capabilities.

80% confidenceline 20

If neither is available, use AskUserQuestion (or equivalent) to request the API key from the user

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/github/intellectronica/agent-skills/notion-api.svg)](https://mondoo.com/ai-agent-security/skills/github/intellectronica/agent-skills/notion-api)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/github/intellectronica/agent-skills/notion-api"><img src="https://mondoo.com/ai-agent-security/api/badge/github/intellectronica/agent-skills/notion-api.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/github/intellectronica/agent-skills/notion-api.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow