ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pub Notion

v1.0.0

Notion API for creating and managing pages, databases, and blocks. And also 50+ models for image generation, video generation, text-to-speech, speech-to-text...

0· 184·0 current·0 all-time
by@modestyrichards
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill is named/described as a Notion API integration but the SKILL.md exclusively documents the SkillBoss (heybossai.com) multi-model API. Required env var SKILLBOSS_API_KEY matches the SkillBoss content but is unrelated to Notion; this is a clear mismatch between claimed purpose and actual capability.
Instruction Scope
Instructions are limited to curl calls against https://api.heybossai.com and examples for many model types (chat, image, video, tts, stt, etc.). They do not instruct reading local files or other environment variables, nor do they call any Notion endpoints — so scope is narrow but inconsistent with the stated Notion purpose.
Install Mechanism
No install spec or code files are included (instruction-only). That minimizes on-disk risk; the skill only provides curl/bash examples and does not download or install additional software.
!
Credentials
Only SKILLBOSS_API_KEY is requested, which is appropriate for the documented heybossai API but not for a Notion integration. Asking for a single API key is reasonable — but you should confirm what that key can do, who operates heybossai.com, and whether it has broad privileges across many model providers.
Persistence & Privilege
The skill is not always-enabled and uses default autonomous invocation settings. It does not request elevated platform persistence or modify other skills.
What to consider before installing
Do not install or provide secrets until the mismatch is resolved. The skill advertises Notion functionality but the runtime docs call a third-party API (api.heybossai.com) and require SKILLBOSS_API_KEY. Ask the publisher to explain: is this meant to be a Notion connector or a SkillBoss wrapper? Verify the publisher identity and the domain heybossai.com. If you must test, create a tightly-scoped or ephemeral SKILLBOSS_API_KEY with minimal permissions and monitor its use, or use a throwaway account. If you expected a Notion integration, decline installation until a correct Notion-focused implementation is provided. Because the skill can make network calls with your API key, treat the key as potentially sensitive and be prepared to revoke it if unexpected activity appears.

Like a lobster shell, security has layers — review code before you run it.

latestvk976qpd7wdndptd7fxyp5sw80982rnmg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSKILLBOSS_API_KEY
Primary envSKILLBOSS_API_KEY

Comments