Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Notion Openapi Skill
v1.0.0Operate Notion Public API through UXC with a curated OpenAPI schema for search, block traversal, page reads, content writes, and data source/database inspect...
⭐ 0· 52·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (Notion OpenAPI traversal + writes) align with the included OpenAPI schema and usage examples. However, SKILL.md expects a Notion token (NOTION_API_TOKEN) and the presence of the 'uxc' helper, yet the registry metadata lists no required env vars or required binaries — a mismatch that reduces transparency. The included validate.sh script also requires 'jq' and 'rg' but those binaries are not declared in metadata.
Instruction Scope
Runtime instructions are narrowly scoped to calling api.notion.com via uxc, creating a notion-openapi-cli link, and performing read-first traversal and optional writes. The skill does not instruct reading arbitrary local files or unrelated system state. One concern: the docs recommend reusing a shared OAuth credential (notion-mcp) and explicitly note that adding the Notion-Version header to a shared credential will also send that header to mcp.notion.com — this is documented but can cause unintended header leakage to other endpoints.
Install Mechanism
No install spec is present (instruction-only), which is low-risk. The schema is referenced from raw.githubusercontent.com, a well-known host. The only filesystem/exec artifact is scripts/validate.sh (local validation) — it is not an install payload and appears harmless.
Credentials
The skill requires a Notion integration token or OAuth credentials to function, and SKILL.md shows use of NOTION_API_TOKEN via uxc. Yet registry metadata declares no required env vars and no primary credential — this omission is a transparency issue. Also, the advice to reuse an existing OAuth credential (notion-mcp) can cause the Notion-Version and Authorization headers to be sent to other host paths (mcp.notion.com), which may be undesirable; users should be warned to only reuse credentials when they understand the cross-host header behavior.
Persistence & Privilege
The skill is not always-enabled and does not request unusual persistence or elevated privileges. It provides examples to add auth bindings via uxc, but it does not autonomously modify other skills or system configs in the provided instructions.
What to consider before installing
This skill appears to be a legitimate Notion/OpenAPI wrapper, but double-check a few things before installing or providing secrets:
- Declare and use a dedicated Notion integration token (NOTION_API_TOKEN) rather than a shared or high-privilege token. The skill needs this token to work; the registry metadata omits that, so don't assume it won't need one.
- The SKILL.md recommends reusing an OAuth credential (notion-mcp). Reusing credentials can cause headers (Notion-Version, Authorization) to be sent to other endpoints (mcp.notion.com). Only reuse if you understand and accept that cross-host header behavior.
- The repository includes a validation script that expects jq and ripgrep (rg). Those binaries are not declared in the skill metadata — this is a minor transparency gap but not necessarily dangerous.
- Ensure you trust the 'uxc' CLI/tool referenced here; it is central to how this skill issues requests and manages credentials. If you don't control uxc, inspect its configuration and behavior before binding credentials.
If the owner can update the registry metadata to list NOTION_API_TOKEN (or declare the primary credential) and any required helper binaries, and more clearly warn about header leakage when reusing credentials, that would resolve the main concerns.Like a lobster shell, security has layers — review code before you run it.
latestvk976vm3gwkxctw86kcwrbgad5583hkxe
License
MIT-0
Free to use, modify, and redistribute. No attribution required.