{ "slug": "notion", "tool_id": "npm/@notionhq/notion-mcp-server", "verdict_url": "/verdict/notion", "verdict_content_hash": "sha256:3d1b0d2355ca2555db2721a198f15bd819489048771f1fc54ac0f0df012f4b0e", "version": "2.2.1", "commit": "d802a0cd7d77c77b0a659be3fd98a9a23975b6e9", "dist_shasum": "90c9f039cb9f46f328dc123736ef31fafa44c2ef", "scanned_at": "2026-06-14T00:00:00Z", "capture_self_test": "verified — a beacon decoy was emitted from the tool's network context; its presence in the intercept means a 'no egress' result would have been trustworthy.", "method": "Installed and run in an isolated container; fed traceable decoy data; all outbound traffic intercepted (TLS broken via own CA, iptables transparent redirect). Endpoints, resolved geo/jurisdiction and frequency are observed facts. Capture self-test passed.", "request_count": 22, "captured_requests": [ { "method": "GET", "scheme": "https", "host": "api.notion.com", "path": "/v1/users/FILE-CONTENT%3A%3Acanary-21dc3a86-file-865c04a1d7dd%3A%3AEND", "headers": { "Accept": "application/json, text/plain, */*", "User-Agent": "notion-mcp-server", "Notion-Version": "FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END", "Accept-Encoding": "gzip, compress, deflate, br", "Host": "api.notion.com", "Connection": "keep-alive" }, "body_redacted": "", "blocked": true, "tls_inspected": true }, { "method": "GET", "scheme": "https", "host": "api.notion.com", "path": "/v1/users?start_cursor=FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END", "headers": { "Accept": "application/json, text/plain, */*", "User-Agent": "notion-mcp-server", "Notion-Version": "FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END", "Accept-Encoding": "gzip, compress, deflate, br", "Host": "api.notion.com", "Connection": "keep-alive" }, "body_redacted": "", "blocked": true, "tls_inspected": true }, { "method": "GET", "scheme": "https", "host": "api.notion.com", "path": "/v1/users/me", "headers": { "Accept": "application/json, text/plain, */*", "User-Agent": "notion-mcp-server", "Notion-Version": "FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END", "Accept-Encoding": "gzip, compress, deflate, br", "Host": "api.notion.com", "Connection": "keep-alive" }, "body_redacted": "", "blocked": true, "tls_inspected": true }, { "method": "POST", "scheme": "https", "host": "api.notion.com", "path": "/v1/search", "headers": { "Accept": "application/json, text/plain, */*", "Content-Type": "application/json", "User-Agent": "notion-mcp-server", "Content-Length": "228", "Accept-Encoding": "gzip, compress, deflate, br", "Host": "api.notion.com", "Connection": "keep-alive" }, "body_redacted": "{\"Notion-Version\":\"FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END\",\"query\":\"FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END\",\"sort\":{},\"filter\":{},\"start_cursor\":\"FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END\"}", "blocked": true, "tls_inspected": true }, { "method": "GET", "scheme": "https", "host": "api.notion.com", "path": "/v1/blocks/FILE-CONTENT%3A%3Acanary-21dc3a86-file-865c04a1d7dd%3A%3AEND/children?start_cursor=FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END", "headers": { "Accept": "application/json, text/plain, */*", "User-Agent": "notion-mcp-server", "Notion-Version": "FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END", "Accept-Encoding": "gzip, compress, deflate, br", "Host": "api.notion.com", "Connection": "keep-alive" }, "body_redacted": "", "blocked": true, "tls_inspected": true }, { "method": "PATCH", "scheme": "https", "host": "api.notion.com", "path": "/v1/blocks/FILE-CONTENT%3A%3Acanary-21dc3a86-file-865c04a1d7dd%3A%3AEND/children", "headers": { "Accept": "application/json, text/plain, */*", "Content-Type": "application/json", "User-Agent": "notion-mcp-server", "Content-Length": "204", "Accept-Encoding": "gzip, compress, deflate, br", "Host": "api.notion.com", "Connection": "keep-alive" }, "body_redacted": "{\"Notion-Version\":\"FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END\",\"children\":[\"FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END\"],\"after\":\"FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END\"}", "blocked": true, "tls_inspected": true }, { "method": "GET", "scheme": "https", "host": "api.notion.com", "path": "/v1/blocks/FILE-CONTENT%3A%3Acanary-21dc3a86-file-865c04a1d7dd%3A%3AEND", "headers": { "Accept": "application/json, text/plain, */*", "User-Agent": "notion-mcp-server", "Notion-Version": "FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END", "Accept-Encoding": "gzip, compress, deflate, br", "Host": "api.notion.com", "Connection": "keep-alive" }, "body_redacted": "", "blocked": true, "tls_inspected": true }, { "method": "PATCH", "scheme": "https", "host": "api.notion.com", "path": "/v1/blocks/FILE-CONTENT%3A%3Acanary-21dc3a86-file-865c04a1d7dd%3A%3AEND", "headers": { "Accept": "application/json, text/plain, */*", "Content-Type": "application/json", "User-Agent": "notion-mcp-server", "Content-Length": "83", "Accept-Encoding": "gzip, compress, deflate, br", "Host": "api.notion.com", "Connection": "keep-alive" }, "body_redacted": "{\"Notion-Version\":\"FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END\",\"type\":{}}", "blocked": true, "tls_inspected": true }, { "method": "DELETE", "scheme": "https", "host": "api.notion.com", "path": "/v1/blocks/FILE-CONTENT%3A%3Acanary-21dc3a86-file-865c04a1d7dd%3A%3AEND", "headers": { "Accept": "application/json, text/plain, */*", "User-Agent": "notion-mcp-server", "Notion-Version": "FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END", "Accept-Encoding": "gzip, compress, deflate, br", "Host": "api.notion.com", "Connection": "keep-alive" }, "body_redacted": "", "blocked": true, "tls_inspected": true }, { "method": "GET", "scheme": "https", "host": "api.notion.com", "path": "/v1/pages/FILE-CONTENT%3A%3Acanary-21dc3a86-file-865c04a1d7dd%3A%3AEND?filter_properties=FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END", "headers": { "Accept": "application/json, text/plain, */*", "User-Agent": "notion-mcp-server", "Notion-Version": "FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END", "Accept-Encoding": "gzip, compress, deflate, br", "Host": "api.notion.com", "Connection": "keep-alive" }, "body_redacted": "", "blocked": true, "tls_inspected": true }, { "method": "PATCH", "scheme": "https", "host": "api.notion.com", "path": "/v1/pages/FILE-CONTENT%3A%3Acanary-21dc3a86-file-865c04a1d7dd%3A%3AEND", "headers": { "Accept": "application/json, text/plain, */*", "Content-Type": "application/json", "User-Agent": "notion-mcp-server", "Content-Length": "110", "Accept-Encoding": "gzip, compress, deflate, br", "Host": "api.notion.com", "Connection": "keep-alive" }, "body_redacted": "{\"Notion-Version\":\"FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END\",\"properties\":{},\"icon\":{},\"cover\":{}}", "blocked": true, "tls_inspected": true }, { "method": "POST", "scheme": "https", "host": "api.notion.com", "path": "/v1/pages", "headers": { "Accept": "application/json, text/plain, */*", "Content-Type": "application/json", "User-Agent": "notion-mcp-server", "Content-Length": "346", "Accept-Encoding": "gzip, compress, deflate, br", "Host": "api.notion.com", "Connection": "keep-alive" }, "body_redacted": "{\"Notion-Version\":\"FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END\",\"parent\":\"FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END\",\"properties\":{},\"children\":[\"FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END\"],\"icon\":\"FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END\",\"cover\":\"FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END\"}", "blocked": true, "tls_inspected": true }, { "method": "GET", "scheme": "https", "host": "api.notion.com", "path": "/v1/pages/FILE-CONTENT%3A%3Acanary-21dc3a86-file-865c04a1d7dd%3A%3AEND/properties/FILE-CONTENT%3A%3Acanary-21dc3a86-file-865c04a1d7dd%3A%3AEND?start_cursor=FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END", "headers": { "Accept": "application/json, text/plain, */*", "User-Agent": "notion-mcp-server", "Notion-Version": "FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END", "Accept-Encoding": "gzip, compress, deflate, br", "Host": "api.notion.com", "Connection": "keep-alive" }, "body_redacted": "", "blocked": true, "tls_inspected": true }, { "method": "GET", "scheme": "https", "host": "api.notion.com", "path": "/v1/comments?block_id=FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END&start_cursor=FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END", "headers": { "Accept": "application/json, text/plain, */*", "User-Agent": "notion-mcp-server", "Notion-Version": "FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END", "Accept-Encoding": "gzip, compress, deflate, br", "Host": "api.notion.com", "Connection": "keep-alive" }, "body_redacted": "", "blocked": true, "tls_inspected": true }, { "method": "POST", "scheme": "https", "host": "api.notion.com", "path": "/v1/comments", "headers": { "Accept": "application/json, text/plain, */*", "Content-Type": "application/json", "User-Agent": "notion-mcp-server", "Content-Length": "82", "Accept-Encoding": "gzip, compress, deflate, br", "Host": "api.notion.com", "Connection": "keep-alive" }, "body_redacted": "{\"parent\":{},\"rich_text\":[\"FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END\"]}", "blocked": true, "tls_inspected": true }, { "method": "POST", "scheme": "https", "host": "api.notion.com", "path": "/v1/data_sources/FILE-CONTENT%3A%3Acanary-21dc3a86-file-865c04a1d7dd%3A%3AEND/query?filter_properties%5B%5D=FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END", "headers": { "Accept": "application/json, text/plain, */*", "Content-Type": "application/json", "User-Agent": "notion-mcp-server", "Content-Length": "220", "Accept-Encoding": "gzip, compress, deflate, br", "Host": "api.notion.com", "Connection": "keep-alive" }, "body_redacted": "{\"Notion-Version\":\"FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END\",\"filter\":{},\"sorts\":[\"FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END\"],\"start_cursor\":\"FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END\"}", "blocked": true, "tls_inspected": true }, { "method": "GET", "scheme": "https", "host": "api.notion.com", "path": "/v1/data_sources/FILE-CONTENT%3A%3Acanary-21dc3a86-file-865c04a1d7dd%3A%3AEND", "headers": { "Accept": "application/json, text/plain, */*", "User-Agent": "notion-mcp-server", "Notion-Version": "FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END", "Accept-Encoding": "gzip, compress, deflate, br", "Host": "api.notion.com", "Connection": "keep-alive" }, "body_redacted": "", "blocked": true, "tls_inspected": true }, { "method": "PATCH", "scheme": "https", "host": "api.notion.com", "path": "/v1/data_sources/FILE-CONTENT%3A%3Acanary-21dc3a86-file-865c04a1d7dd%3A%3AEND", "headers": { "Accept": "application/json, text/plain, */*", "Content-Type": "application/json", "User-Agent": "notion-mcp-server", "Content-Length": "225", "Accept-Encoding": "gzip, compress, deflate, br", "Host": "api.notion.com", "Connection": "keep-alive" }, "body_redacted": "{\"Notion-Version\":\"FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END\",\"title\":[\"FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END\"],\"description\":[\"FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END\"],\"properties\":{}}", "blocked": true, "tls_inspected": true }, { "method": "POST", "scheme": "https", "host": "api.notion.com", "path": "/v1/data_sources", "headers": { "Accept": "application/json, text/plain, */*", "Content-Type": "application/json", "User-Agent": "notion-mcp-server", "Content-Length": "218", "Accept-Encoding": "gzip, compress, deflate, br", "Host": "api.notion.com", "Connection": "keep-alive" }, "body_redacted": "{\"Notion-Version\":\"FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END\",\"parent\":\"FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END\",\"properties\":{},\"title\":[\"FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END\"]}", "blocked": true, "tls_inspected": true }, { "method": "GET", "scheme": "https", "host": "api.notion.com", "path": "/v1/data_sources/FILE-CONTENT%3A%3Acanary-21dc3a86-file-865c04a1d7dd%3A%3AEND/templates?start_cursor=FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END", "headers": { "Accept": "application/json, text/plain, */*", "User-Agent": "notion-mcp-server", "Notion-Version": "FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END", "Accept-Encoding": "gzip, compress, deflate, br", "Host": "api.notion.com", "Connection": "keep-alive" }, "body_redacted": "", "blocked": true, "tls_inspected": true }, { "method": "GET", "scheme": "https", "host": "api.notion.com", "path": "/v1/databases/FILE-CONTENT%3A%3Acanary-21dc3a86-file-865c04a1d7dd%3A%3AEND", "headers": { "Accept": "application/json, text/plain, */*", "User-Agent": "notion-mcp-server", "Notion-Version": "FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END", "Accept-Encoding": "gzip, compress, deflate, br", "Host": "api.notion.com", "Connection": "keep-alive" }, "body_redacted": "", "blocked": true, "tls_inspected": true }, { "method": "POST", "scheme": "https", "host": "api.notion.com", "path": "/v1/pages/FILE-CONTENT%3A%3Acanary-21dc3a86-file-865c04a1d7dd%3A%3AEND/move", "headers": { "Accept": "application/json, text/plain, */*", "Content-Type": "application/json", "User-Agent": "notion-mcp-server", "Content-Length": "137", "Accept-Encoding": "gzip, compress, deflate, br", "Host": "api.notion.com", "Connection": "keep-alive" }, "body_redacted": "{\"Notion-Version\":\"FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END\",\"parent\":\"FILE-CONTENT::canary-21dc3a86-file-865c04a1d7dd::END\"}", "blocked": true, "tls_inspected": true } ], "reproduce": { "scanner": "canary-sandbox (open methodology; Docker backend)", "command": "python -m canary.cli scan --backend docker # target: npm @notionhq/notion-mcp-server@2.2.1", "note": "Re-run it yourself: the scanner installs the pinned version, drives the tool over MCP, and intercepts all egress." }, "note": "Raw captured outbound requests from one sandbox run (identifiers/keys redacted). This is the underlying observation behind the verdict — re-run the scan to verify.", "verification": "verdict_content_hash = sha256 over the canonical verdict JSON; dist_shasum = the npm tarball checksum of the pinned version. Signed artifacts + an append-only immutable log are on the roadmap (toward independent verifiability).", "verdict_signature": "ed25519:PsZ6M6XFGivRdgeHYbVYVCZM9mQIbbMRTEru6W7dV1saBj/9NPIo/SQ7rv2JzVRzZm1OxAmFEFB1nowY5BsjCw==" }