The official Notion MCP Server lets AI assistants read from and write to your Notion workspace through the Model Context Protocol.
It exposes tools to search, retrieve, create, and update Notion pages and databases, including editing page content in Markdown with token consumption optimized for agents. Notion also offers a hosted remote MCP server with OAuth-based setup.
It is aimed at teams and individuals who want their AI assistant to manage notes, docs, and databases in Notion.
! Security: Review · 8888/100 · grade Bscanned 18h ago
✓ no compromise signals15 risk-surface · 7/20 OWASP controls flagged
Compromise signals — malicious or tampered code (leaked secrets, backdoors, a dropped executable) — reduce the score, and known dependency CVEs carry a bounded penalty (they warrant review but never QUARANTINE — update the dependency to clear). Other dangerous-by-capability traits are risk surface, expected for some capabilities. Every finding is mapped to its OWASP control below.
What this capability can do · high confidence (static)
Findings mapped to the OWASP Top 10 for LLM Applications (2025) and the OWASP Machine Learning Security Top 10. Expand any flagged control for the exact findings — compromise reduces the score; expected/risk-surface do not.
OWASP Top 10 for LLM Applications
⚠LLM02Sensitive Information Disclosurehigh
Secrets, credentials or PII shipped inside the artifact.
Tampered model weight files; integrity must be verifiable.
Static check enforces safe formats + records a content hash for downstream verification.
Other findings (7) · hygiene / uncategorized
•Unrecognized file type — '.dockerignore' is not on the allowlist · makenotion-notion-mcp-server-d7e3bbd/.dockerignorerisk surface
•Unrecognized file type — '.gitignore' is not on the allowlist · makenotion-notion-mcp-server-d7e3bbd/.gitignorerisk surface
•Unrecognized file type — '.?' is not on the allowlist · makenotion-notion-mcp-server-d7e3bbd/Dockerfilerisk surface
•Suspicious network references — raw IP URL (11 URLs) · makenotion-notion-mcp-server-d7e3bbd/README.mdrisk surface
•Suspicious network references — raw IP URL (5 URLs) · makenotion-notion-mcp-server-d7e3bbd/scripts/server-options.test.tsrisk surface
•Suspicious network references — raw IP URL (1 URLs) · makenotion-notion-mcp-server-d7e3bbd/src/openapi-mcp-server/client/__tests__/test-server.tsrisk surface
•Unrecognized file type — '.snap' is not on the allowlist · makenotion-notion-mcp-server-d7e3bbd/src/openapi-mcp-server/openapi/__tests__/__snapshots__/notion-spec.snapshot.test.ts.snaprisk surface
✔ verified source · pinned makenotion-notion-mcp-server-d7e3bbd · changed since last scan (-12 pts)
Check against a policy
The same gate an agent runs before installing (POST /api/v1/trust/notion-mcp-server/check). Click a policy:
Consume Notion MCP Server programmatically. Authenticate with an API key or session — see Authorize an agent.
# Agents: CHECK BEFORE YOU INSTALL (no auth) — score, grade, level, capability manifest
curl https://ai-supply.store/api/v1/trust/notion-mcp-server
# Gate against your org policy (returns { pass, violations })
curl -X POST https://ai-supply.store/api/v1/trust/notion-mcp-server/check \
-H "Content-Type: application/json" \
-d '{"minGrade":"B","denyPermissions":["shell"],"denyUnknownEgress":true}'
# CLI
npx ai-supply add notion-mcp-server
# REST (install → download)
curl -X POST https://ai-supply.store/api/v1/listings/notion-mcp-server/install \
-H "Authorization: Bearer $AIM_KEY"
# MCP tool
install_listing({ "slug": "notion-mcp-server" })