notipo
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is coherent with its stated purpose, but it can publish, update, and delete WordPress/Notion blog content using a Notipo API key, so users should approve high-impact actions carefully.
Before installing, confirm you trust the Notipo service and npm CLI, keep the API key private, and configure the connected WordPress/Notion accounts with only the access needed. Have the agent create drafts first and require explicit human approval before publishing, updating, deleting, syncing, or running batch workflows.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could make visible changes to a connected blog, including publishing or deleting posts.
The skill documents commands that can publish public WordPress content and delete existing posts. This is expected for the skill's purpose, but these are high-impact actions that should be user-approved.
### Create and publish immediately ```bash notipo posts create ... --publish ``` ### Delete a post ```bash notipo posts delete POST_ID ```
Use draft creation by default, review content before using `--publish`, and require explicit confirmation before update, delete, sync, or batch operations.
Anyone or any agent with the API key may be able to create or modify content through the connected Notipo account.
The skill requires a Notipo API key for an account connected to Notion and WordPress. That credential use is disclosed and purpose-aligned, but it grants delegated authority over connected publishing workflows.
connect your Notion database and WordPress site through the dashboard, then grab your API key ... export NOTIPO_API_KEY="ntp_your-api-key"
Protect the API key, scope the connected Notion/WordPress access as narrowly as possible, rotate the key if exposed, and avoid sharing it in logs or prompts.
Installing the CLI runs code obtained from npm rather than code reviewed in this artifact set.
The skill instructs users to install a global npm CLI package. This is central to the stated workflow, but the downloaded package code is not part of the provided instruction-only artifact.
npm install -g notipo
Install the CLI only if you trust the Notipo npm package and source, and consider pinning or reviewing the package version used in your environment.