Back to skill
Skillv1.2.5
ClawScan security
WeChat to Notion · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 18, 2026, 2:56 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and required credential (NOTION_API_KEY) are coherent with its stated purpose of fetching mp.weixin.qq.com articles and saving them to a Notion database.
- Guidance
- This skill appears to do exactly what it says: fetch WeChat article HTML (only mp.weixin.qq.com), parse it locally, and write blocks to a Notion database using your NOTION_API_KEY. Before installing, confirm: (1) only grant the Notion integration access to the specific database/page you want (do not give it workspace-wide access unless necessary), (2) keep your NOTION_API_KEY secret and do not paste it into chat (the SKILL.md correctly warns this), and (3) review the small scripts if you want to verify they meet your policies (they use curl subprocesses and post data only to Notion API and the WeChat URL). Note the README/comment mismatch around the config key name (skills.entries.wechat-to-notion.NOTION_API_KEY vs skills.entries.notion.apiKey); ensure you set the key where your OpenClaw installation expects it.
Review Dimensions
- Purpose & Capability
- okName/description match the implementation: fetch_wechat.py only allows mp.weixin.qq.com, and save_to_notion.py only calls the Notion API. Declared requirements (python3, curl, NOTION_API_KEY) are appropriate and necessary.
- Instruction Scope
- okSKILL.md steps (fetch → analyze → save) correspond to the scripts. The instructions only read the temporary article JSON and interact with mp.weixin.qq.com and api.notion.com; they do not request unrelated files, secrets, or external endpoints beyond image URLs and Notion.
- Install Mechanism
- okNo install spec — instruction-only with two small scripts. No downloads from arbitrary URLs or package installs are requested.
- Credentials
- noteOnly a single credential (NOTION_API_KEY) is required and used to call Notion. Minor documentation inconsistency: SKILL.md and README show setting skills.entries.wechat-to-notion.NOTION_API_KEY, while save_to_notion.py comments mention skills.entries.notion.apiKey; this is a documentation naming mismatch but not a functional request for extra secrets.
- Persistence & Privilege
- okalways:false (default) and normal autonomous invocation. The skill does not request permanent system-wide privileges or modify other skills' configs.