Back to skill
Skillv1.0.0
ClawScan security
Notion Calendar · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 6, 2026, 3:30 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions align with its stated purpose (Notion calendar management); requested credentials, local config path, and network endpoints are proportional and expected.
- Guidance
- This skill appears coherent for managing Notion calendar databases. Before installing: (1) create a Notion integration with the minimum scopes needed and share only the specific databases you want the skill to access; (2) provide a dedicated NOTION_API_KEY (avoid using a broad workspace or personal token); (3) expect the skill to create and update files in ~/notion-calendar/ — review that folder periodically and do not put secrets there; (4) if you don't want the agent to act autonomously, disable model invocation at the platform level; and (5) inspect any local memory files after initial setup to confirm they contain only non-secret context.
Review Dimensions
- Purpose & Capability
- okName/description map to the declared needs: NOTION_API_KEY and a local config directory are appropriate for discovering schemas, reading/writing pages, and caching mapping data. Optional use of a community CLI is documented as a fallback and is not required.
- Instruction Scope
- okSKILL.md confines actions to Notion API endpoints and local memory under ~/notion-calendar/. It requires schema discovery before writes, read-back verification after writes, and escalation on ambiguity — all appropriate safety controls. No instructions reference unrelated system files or undeclared environment variables.
- Install Mechanism
- okInstruction-only skill with no install spec and no code to fetch or execute — lowest-risk install posture.
- Credentials
- okOnly the Notion API key is required (primaryEnv = NOTION_API_KEY) and the requested local config path is used for benign caching/memory. The skill explicitly states it will not store API keys in memory files.
- Persistence & Privilege
- okSkill is not forced-always and does not request elevated platform privileges. It persists only to its own folder (~/notion-calendar/) per the instructions; autonomous invocation is allowed by default but not exceptional here.