Skillv0.1.0

ClawScan security

Notcrawl · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 28, 2026, 5:54 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions align with its stated purpose (mirroring Notion to local SQLite + Markdown); nothing requested looks disproportionate or unrelated, though the SKILL.md embeds a GitHub-release install hint that isn't present in the registry install section.
Guidance: This skill appears to do what it says: it requires a Notion integration token and the notcrawl binary and stores a local SQLite DB plus exported Markdown under ~/.notcrawl. Before installing or running: (1) verify the notcrawl binary comes from the GitHub repo linked in SKILL.md and, if available, check release checksums/signatures; (2) create a Notion integration with least privilege and only share the pages/databases you want mirrored; (3) keep NOTION_API_KEY secret (store in your credential manager or environment securely); (4) review the contents of ~/.notcrawl for any sensitive data before sharing; (5) if you want stronger isolation, run the binary inside a container or dedicated user account. The only minor inconsistency is that the registry metadata showed no install spec while SKILL.md embeds a GitHub-release install entry — that doesn't appear malicious but you may want to confirm installation instructions in the repo match what you expect.

Purpose & Capability: okName/description require a Notion integration token and a notcrawl binary; both are present in the metadata and SKILL.md and are necessary for mirroring Notion content to local storage.
Instruction Scope: okRuntime instructions are limited to obtaining a Notion integration token, sharing pages with that integration, running the notcrawl binary (init, sync, export), and writing outputs under ~/.notcrawl. The instructions do not ask for unrelated files, credentials, or exfiltration to third-party endpoints.
Install Mechanism: noteSKILL.md includes metadata describing a GitHub-release install (vincentkoc/notcrawl) which is a reasonable, low-risk install source; however the registry's top-level metadata indicated 'No install spec' — this mismatch between registry install fields and SKILL.md is an inconsistency to be aware of. The described install uses GitHub releases (expected) and not a random URL or shortener.
Credentials: okOnly NOTION_API_KEY is required and is justified by the skill's Notion integration purpose. The skill writes data to ~/.notcrawl (config, DB, markdown export), which is expected for a mirroring tool.
Persistence & Privilege: okThe skill is not force-included (always:false), is user-invocable, and does not request system-wide privileges or modify other skills. It stores data under the user's home directory as expected.