ClawHub

Notion Mvp

v1.0.0

Create and list Notion tasks in a single database via Notion API. Use when the user asks to add tasks, list today tasks, or capture quick todos in Notion fro...

0· 590·0 current·0 all-time
by@luciorenovato
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (create/list Notion tasks) matches the included script: it calls api.notion.com using a NOTION_TOKEN and database IDs. However the registry metadata claims no required env vars or binaries, while SKILL.md and scripts require NOTION_TOKEN and either NOTION_DATABASE_MAP or NOTION_DATABASE_ID and also rely on external binaries (node, curl). The missing declarations in metadata are a discrepancy.
Instruction Scope
SKILL.md instructs the agent to run the bundled bash script which only uses NOTION_TOKEN, database IDs/map, and interacts with the Notion API. The runtime behavior is limited to querying Notion and constructing/creating pages; it does not read arbitrary files or other environment variables.
Install Mechanism
There is no install spec (instruction-only with an included script), so nothing is downloaded at install time. The script executes node and curl at runtime; the skill does not declare these required binaries in metadata, so the environment may be missing needed runtime dependencies.
!
Credentials
The environment variables used (NOTION_TOKEN, NOTION_DATABASE_MAP / NOTION_DATABASE_ID) are appropriate and proportional for a Notion integration. The concern is that the registry metadata lists no required credentials/env vars, so the skill's declared requirements do not match what it actually needs at runtime.
Persistence & Privilege
The skill does not request persistent 'always' privilege, does not modify other skills or system-wide settings, and does not store new credentials itself. Autonomous invocation is allowed (platform default) but not combined with other high-risk factors.
What to consider before installing
This script is largely coherent with a Notion task helper: it needs an integration token (NOTION_TOKEN) and either a NOTION_DATABASE_MAP (alias->database_id JSON) or a NOTION_DATABASE_ID fallback. Before installing: (1) be aware the registry metadata incorrectly claims no env vars or required binaries — you must provide NOTION_TOKEN and database IDs and have curl and node available. (2) Create a dedicated Notion integration with the minimum scopes needed (read/write pages) and share only the intended database(s) with that integration — do not reuse a full-account token. (3) Review the script (already included) to confirm it only calls api.notion.com and does not access other files; it does not attempt exfiltration beyond requests to Notion. (4) If you want stronger assurance, ask the publisher to fix the registry metadata to declare NOTION_TOKEN and the DB map and to note required binaries (node, curl). If you cannot verify the origin of the skill or do not want to provide a Notion token, do not install.

Like a lobster shell, security has layers — review code before you run it.

latestvk970g4y2k4v3a6znqnaest6m6d81eb2y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments