ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Notion Workspace

v1.0.0

Full Notion API skill — query databases, manage pages, append blocks, and search your entire workspace.

0· 78·0 current·0 all-time
by@fr3kstyle
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name/description and the included script match (a full Notion API CLI). However the registry metadata claims no required environment variables or primary credential even though both SKILL.md and scripts/notion_workspace.py require NOTION_API_KEY (and optionally NOTION_DATABASE_ID). That mismatch is unexpected and reduces trust in the package metadata.
Instruction Scope
SKILL.md instructs the user to set NOTION_API_KEY and optionally NOTION_DATABASE_ID and run the bundled Python script. The runtime instructions and CLI actions stay within Notion API operations (databases, pages, blocks, search). The script only calls api.notion.com and does not read unrelated files or environment variables.
Install Mechanism
This is an instruction-only skill with an included Python script and no install spec or external download. No installer downloads or extracted archives are present; nothing writes to disk beyond the provided files.
!
Credentials
The script legitimately needs a single Notion integration token (NOTION_API_KEY) and optionally NOTION_DATABASE_ID. The package metadata, however, does not declare any required env vars or a primary credential — that omission is disproportionate and misleading because the token is sensitive and required for operation.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide settings, and does not add persistent background privileges. Autonomous invocation is allowed by default but is not combined with other high-risk factors here.
What to consider before installing
This package appears to be a legitimate Notion CLI: the code only talks to api.notion.com and implements expected Notion operations. However, the registry metadata failing to declare that NOTION_API_KEY (and optionally NOTION_DATABASE_ID) are required is a red flag — the token is sensitive. Before installing: (1) verify the publisher and origin (this package lists no homepage and an unknown owner id), (2) prefer creating a Notion integration token with the least privileges needed, (3) inspect the included scripts locally (you have them here) and run them in an isolated environment if possible, and (4) ask the publisher to correct the package metadata to declare required credentials. If you don't trust the source, do not provide your full workspace token.

Like a lobster shell, security has layers — review code before you run it.

latestvk974wmm0qfjye48g0rww80j1t583ak5z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments