ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Voice2notion

v1.2.0

语音录音转录并保存到 Notion 数据库。使用 faster-whisper 转录,自动提取关键信息并写入数据库。

0· 213·0 current·0 all-time
by@jiabaochen1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (audio → transcription → Notion) is coherent with the runtime instructions which install faster-whisper, transcribe audio, and push records to a Notion database. However, registry metadata says 'required env vars: none' and 'required config paths: none' while SKILL.md explicitly requires a local Notion API key file (~/.config/notion/api_key) and the NOTION_DATABASE_ID env var. This metadata/instruction mismatch is a sign of sloppy packaging and should be resolved before trusting automation.
!
Instruction Scope
SKILL.md instructions stay within the transcription→Notion workflow, showing the exact Python snippet, model choices, and how to store/upload audio links. Concerns: instructions reference 'uv' commands (uv venv, uv pip) and a ~/.openclaw path which are not declared in registry requirements — the agent or user environment may not have 'uv' and the behavior of 'uv' is unspecified. The doc also recommends placing audio on publicly accessible URLs for Notion links, which is a privacy/data-leak risk (but is functionally coherent).
Install Mechanism
This is instruction-only (no install spec in registry), so nothing is automatically written by the skill. SKILL.md asks the user to create a virtualenv and run 'pip install faster-whisper' and warns the model will be downloaded (~140MB–1GB+ depending on model). That manual installation is reasonable for this task, but users should be aware of large model downloads and network traffic. The 'uv pip install' usage is unusual and not explained; confirm what 'uv' does before running.
!
Credentials
The only runtime secret needed is the Notion API Key and a Notion database ID, which are proportionate to the purpose. But the skill recommends storing the API key in plaintext at ~/.config/notion/api_key (and also using an env var), and the registry metadata failed to declare these requirements. The combination of undeclared secret usage and plaintext local storage is a security/privacy concern that should be addressed (use secure secret storage, file permissions, or env vars).
Persistence & Privilege
The skill does not request always:true, does not include install-time code, and is instruction-only. It doesn't request elevated privileges or modify other skills' configs. Persistence and privilege level are appropriate for an offline transcription→Notion workflow.
What to consider before installing
Summary and actionable checks before installing: - Metadata mismatch: SKILL.md requires a Notion API key file (~/.config/notion/api_key) and NOTION_DATABASE_ID, but the registry metadata lists no required env/configs. Treat this as a packaging error—confirm required files/env vars before trusting automation. - Verify 'uv' usage: The instructions call 'uv venv' and 'uv pip install'. If you don't know what 'uv' is (it is not a standard tool), do not run those commands. Replace them with standard virtualenv and pip commands (python3 -m venv, pip install) or confirm the 'uv' tool is legitimate. - API key handling: The guide recommends saving the Notion API key in a plaintext file. Prefer using an environment variable with appropriate process/file permissions or a secrets manager. Do not commit the file to any repository. Rotate the key if it's exposed. - Data privacy: The documentation suggests using public URLs for audio files. That can leak sensitive audio. Use private/authenticated storage (or Notion's supported file upload methods) if the recordings are sensitive. - Model downloads and resource use: faster-whisper will download models (hundreds of MB to >1GB) and may be CPU/GPU intensive. Ensure you have bandwidth and storage. - Test manually first: Run the provided commands locally in an isolated virtualenv with a non-production Notion integration and a test database to confirm behavior. Inspect any automation/agent steps before granting it access to your Notion credentials. If you want, I can: a) extract the exact commands to run safely without 'uv'; b) show a safer pattern for storing/consuming the Notion API key; or c) suggest how to modify the SKILL.md to make metadata consistent.

Like a lobster shell, security has layers — review code before you run it.

latestvk9709yezd61r6cqmzsy850ajkh82tgbv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments