ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cli Notion

v1.0.0

Command-line tool to create, list, and retrieve Notion pages using Notion API with JSON input and output.

0· 62·0 current·0 all-time
by@kaising-openclaw1
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, README, SKILL.md and the Python code all consistently implement a Notion CLI (create/list/get pages, status) and use the Notion API. However the registry metadata claims "Required env vars: none" and "Primary credential: none" even though both SKILL.md and the code expect NOTION_API_KEY (or --api-key). That mismatch is unexpected and should be fixed or explained.
Instruction Scope
SKILL.md and README give explicit commands and instruct setting NOTION_API_KEY. The runtime instructions do not ask the agent to read unrelated files, secrets, or call endpoints other than api.notion.com. The code's runtime behavior matches the documented commands.
Install Mechanism
There is no install spec or packaged download; the skill includes a local Python script and docs. No external installers, archive downloads, or unusual install steps are present.
!
Credentials
The code legitimately requires a single Notion integration secret (NOTION_API_KEY). That is proportional to the stated purpose. The concern is that the package registry metadata does not declare this requirement or primary credential, which could mislead automated permission checks or users. No other credentials or sensitive env vars are requested.
Persistence & Privilege
Skill does not request persistent/always-on privileges, does not modify other skills or system configs, and uses normal CLI invocation. Autonomous invocation is allowed by default but not combined with other red flags.
What to consider before installing
This looks like a simple Notion CLI that only needs your Notion integration secret, but the registry metadata failing to declare that credential is a red flag (likely sloppy packaging, but could mislead permission reviewers). Before installing: 1) Confirm the publisher/source (the _meta.json repo URL should be checked). 2) Treat NOTION_API_KEY as sensitive: create a dedicated Notion integration with minimal scopes and only grant it to the specific databases/pages needed; do not reuse a broader account key. 3) Inspect or run the single Python file in an isolated environment if possible to confirm it only calls api.notion.com. 4) Ask the publisher to correct the registry metadata to declare NOTION_API_KEY as a required/primary credential. If you cannot verify the source or you need stricter assurance, avoid installing or run it in a sandbox/container. Additional information that would raise confidence: an authoritative repository URL with matching code, or corrected registry metadata declaring the required env var.

Like a lobster shell, security has layers — review code before you run it.

latestvk975mrwgys6j0pvf124hc1751h8413kd
62downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
@kaising-openclaw1
latest
Download

CLI-Notion SKILL.md

Version: 1.0.0
Type: CLI Tool
Interface: Command Line + JSON

Description

CLI-Notion 是 Notion 的命令行接口,让 AI Agent 可以直接操作 Notion。

Installation

设置环境变量:

export NOTION_API_KEY=your_integration_secret

Commands

# 创建页面
python cli-notion.py create-page --parent DB_ID --title "Task"

# 列出页面
python cli-notion.py list-pages --database DB_ID

# 获取页面
python cli-notion.py get-page PAGE_ID

# 状态检查
python cli-notion.py status

License

商业许可 - ¥68

Comments

Loading comments...