Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Shopee to Notion Sync
v1.0.0Sync Shopee products into Notion using the local Node.js workflow only.
⭐ 0· 55·0 current·0 all-time
byCarine Bertagnolli Bathaglini@cbbathaglini
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code implements Shopee search + Notion upsert which matches the skill description. However the registry metadata declares no required environment variables despite the code and README clearly requiring SHOPEE_APP_ID, SHOPEE_SECRET, NOTION_TOKEN, and NOTION_DATABASE_ID — this mismatch is unexpected and reduces trust/clarity.
Instruction Scope
SKILL.md restricts execution to the included Node script and forbids scraping/web search; the script follows that. But jobs/config.js uses dotenv.config with a hard-coded absolute path (/data/.openclaw/workspace-sales/.env) — the runtime will read that specific workspace .env file, which may contain other agent secrets; this expands the scope of what the skill can access beyond its own folder.
Install Mechanism
No install spec is provided (instruction-only install), but package.json and package-lock.json indicate normal npm deps (axios, dotenv). There are no external download URLs or extraction steps in the skill itself. Expect the user to run npm install manually.
Credentials
The code requires Shopee API credentials and a Notion token/database id — those are proportionate to the stated purpose. However: (1) the skill registry lists no required env vars (incoherent), and (2) the hard-coded dotenv path may surface additional environment variables from the workspace (possible unintended access to unrelated secrets).
Persistence & Privilege
The skill does not request 'always: true' or other elevated persistent privileges, and it does not modify other skills or system-wide settings. Autonomous invocation is allowed by default but not combined with other high-privilege requests.
What to consider before installing
This skill's behavior generally matches its name — it calls the Shopee affiliate GraphQL endpoint and the Notion API to create/update pages. Before installing or running it:
- Treat the registry metadata as incomplete: the script requires SHOPEE_APP_ID, SHOPEE_SECRET, NOTION_TOKEN, and NOTION_DATABASE_ID (put them into a dedicated env file or export them at runtime).
- Inspect the .env file at /data/.openclaw/workspace-sales/.env (or change jobs/config.js) — the script will load that exact path, which could expose other workspace secrets; run the skill in an isolated workspace or modify config.js to use a skill-local .env or explicit env vars.
- Verify the Notion token's scope (least privilege) and the Shopee credentials before granting them.
- Run npm install in a controlled environment and review the dependencies (axios, dotenv are expected).
If you want higher assurance, ask the author to: (a) declare required env vars in the registry metadata, (b) remove the hard-coded absolute dotenv path or make it configurable, and (c) document exactly what is stored in the workspace .env so you can confirm no unrelated secrets will be read.Like a lobster shell, security has layers — review code before you run it.
ecommercevk978zx3ndmzh2dr5gng91zea4984dkdwlatestvk978zx3ndmzh2dr5gng91zea4984dkdwnotionvk978zx3ndmzh2dr5gng91zea4984dkdwshopeevk978zx3ndmzh2dr5gng91zea4984dkdwsyncvk978zx3ndmzh2dr5gng91zea4984dkdw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.