Skillv1.0.0

ClawScan security

Notion co-worker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 17, 2026, 11:06 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The instructions ask the agent to read the user's Gmail and Notion workspace and to post replies, but the skill declares no credentials or configuration and omits required details (credential handling, identity.md), creating a mismatch and privacy/safety concerns.
Guidance: This skill will read your Gmail (unread Notion notification emails), access your Notion workspace, and post replies — but it declares no credentials or configuration, which is inconsistent and concerning. Before installing or enabling it, ask the publisher these questions: (1) Exactly which credentials/tokens does the skill need (Gmail OAuth scopes, Notion integration token)? Where and how will you supply and store them? (2) Will the agent ever post to Notion without explicit confirmation? Can you require a review step or limit it to draft replies? (3) Which platform tools (notion-fetch, notion-get-comments, conversation_search, web_search) will it use and do they already exist in your runtime? (4) What logs/audit trail exist and how do you revoke the skill's access? Also note identity.md is referenced but not provided — ask for it. If you proceed, follow the principle of least privilege: grant read-only Gmail scope if possible, a Notion token limited to the workspace/pages needed, and require manual approval before posting. If the publisher cannot clearly explain credential handling and safeguards, do not enable this skill.

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose is to monitor Notion comment mentions via Gmail and reply in Notion. The SKILL.md explicitly requires access to Gmail (searching unread mails from notify@mail.notion.so) and multiple Notion operations (fetch pages, read full comments, create comments/pages). Yet the skill metadata declares no required env vars, no primary credential, and no config paths. That is inconsistent: legitimate operation requires Gmail and Notion API credentials or access tokens, which are not declared or justified.
Instruction Scope: concernThe runtime instructions tell the agent to: search the user's Gmail inbox, read email bodies to extract URLs and comment text, read conversation history/memory, fetch Notion page contents and entire discussion threads, optionally perform web searches and fetch web pages, post replies to Notion threads, and create research subpages documenting everything. These are broad, sensitive operations (email reading, workspace access, autonomous posting) and the instructions do not constrain or limit scope (e.g., label restrictions, confirmation before posting) and even recommend processing all matching notifications sequentially. The skill also references 'identity.md' which is not included.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files. That minimizes filesystem/install risk — nothing will be downloaded or written by an installer. However, the runtime still relies on platform-provided tools (notion-fetch, notion-get-comments, notion-create-comment, web_search, web_fetch, conversation_search) whose availability and privileges matter.
Credentials: concernThe SKILL.md requires access to Gmail and Notion APIs and to conversation/memory tools, but requires.env is empty and no primary credential is declared. Sensitive tokens (Gmail OAuth token, Notion integration token, or an email forwarding config) are necessary for this functionality; their absence in the declared requirements is a disproportionate omission. The skill also instructs use of conversation_search/recent_chats (access to past chats/memory) without any mention of limiting or disclosing that access.
Persistence & Privilege: notealways is false (ok). The skill is allowed to invoke autonomously (disable-model-invocation: false), which is the platform default. The instructions expect the agent to 'monitor' and process Gmail Notion notifications and to re-trigger if the user has used it before — this effectively gives it ongoing monitoring behavior when permitted. That persistent monitoring combined with email/workspace access is a sensitive privilege and should be consented to explicitly, but the skill metadata does not document expected frequency, required user approvals, or safeguards.