makenotion/notion-mcp-server

Minor capabilities, nothing alarming.

View source ↗

Outbound network 4

Environment variables (config / keys) 4

Runtime code evaluation 1

AI review

This is the official Notion MCP server, a well-maintained open-source project with no evidence of malicious intent. The codebase is transparent, uses standard dependencies, and does not contain hidden instructions, prompt injection vectors, or data exfiltration mechanisms beyond its stated purpose of exposing Notion API endpoints as MCP tools.

low No hidden instructions or prompt injection — The CLAUDE.md and README.md files contain only project documentation and setup instructions. There are no hidden system prompts, agent manipulation instructions, or attempts to override the AI's behavior.
low Environment variable usage is legitimate — The code accesses process.env for configuration (BASE_URL, OPENAPI_MCP_HEADERS, NODE_ENV) which is standard for server configuration. No credentials are read and exfiltrated; the server only uses Notion API tokens as expected for its purpose.
low Commented-out eval is not exploitable — The commented line `// const zodSchema = eval(zodSchemaStr) as z.ZodType` in parser.ts is dead code and not executed. It poses no risk.
low Standard network dependencies — The axios and openapi-client-axios dependencies are standard HTTP client libraries used for making API calls to Notion. No suspicious network behavior or data exfiltration endpoints are configured.

Model: deepseek-chat

Static findings

Outbound network · Makes outbound network requests

info package-lock.json:13 "axios": "^1.8.4",

low package.json:24 "axios": "^1.8.4",

info src/openapi-mcp-server/client/__tests__/http-client.test.ts:15 vi.mock('openapi-client-axios', () => {

low src/openapi-mcp-server/client/http-client.ts:2 import OpenAPIClientAxios from 'openapi-client-axios'

Environment variables (config / keys) · Reads environment variables (config / API keys)

low scripts/start-server.ts:24 const baseUrl = process.env.BASE_URL ?? undefined

low src/openapi-mcp-server/client/http-client.ts:181 if (process.env.NODE_ENV !== 'test') {

info src/openapi-mcp-server/mcp/__tests__/proxy.test.ts:193 const originalEnv = process.env

low src/openapi-mcp-server/mcp/proxy.ts:204 const headersJson = process.env.OPENAPI_MCP_HEADERS

Runtime code evaluation · Evaluates code at runtime

info src/openapi-mcp-server/openapi/parser.ts:347 // const zodSchema = eval(zodSchemaStr) as z.ZodType

Scanning every extension your team installs?

Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.

MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.