ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Diy Pc Ingest

v2.0.4

Ingest pasted PC parts purchase/config text (Discord message receipts, bullet lists) into Notion DIY_PC tables (PCConfig, ストレージ, エンクロージャー, PCInput). Use when...

0· 814·2 current·2 all-time
byAltair@nextaltair·duplicate of @nextaltair/openclaw-skill-diy-pc-ingest (2.0.1)
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description align with implementation: the skill parses pasted purchase/spec text and upserts rows into Notion. Required binary (node) and required env (NOTION_API_KEY) are appropriate and expected for interacting with the Notion API and running the included JS script.
Instruction Scope
SKILL.md and the scripts only reference parsing local input, reading config under ~/.config/diy-pc-ingest, and calling the Notion API. There is an explicit optional enrichment step (web_search/web_fetch) which may send product text to external web providers; the skill documents this and gives an opt-out. The JS script spawns notion-api-automation/scripts/notionctl.mjs (via execFileSync) to make Notion API calls — so the behaviour also depends on that dependency's code.
Install Mechanism
No remote download/install spec is present (instruction-only with included scripts). The code in the repo is plain JS/Python; nothing in the manifest pulls arbitrary bytes from unknown URLs. The skill does depend on a sibling ClawHub skill (notion-api-automation) for notionctl.mjs, which the README instructs the user to install via ClawHub.
Credentials
Only Notion-related secrets are required: NOTION_API_KEY (primary), with optional NOTION_TOKEN / NOTION_API_KEY_FILE and NOTION_VERSION. Those map directly to Notion integration usage. The scripts read local config paths (~/.config/diy-pc-ingest/config.json and optionally a NOTION_API_KEY_FILE) — this is reasonable for a tool that stores Notion IDs and tokens locally.
Persistence & Privilege
always:false and user-invocable; the skill writes its own config under ~/.config/diy-pc-ingest if you run the bootstrap, which is normal. It does not request global platform privileges or modify other skills' configs.
Assessment
This skill appears to do what it says: parse pasted PC part notes and upsert into your Notion databases. Before installing, confirm you are comfortable granting a Notion integration token (NOTION_API_KEY) limited to the specific databases, and do not give broader privileges than needed. Note two practical items to review: (1) the skill optionally uses web_search/web_fetch for enrichment and that may send product text outside your environment — disable that if you don't want external queries, and (2) the JS script spawns notion-api-automation/scripts/notionctl.mjs; review or install that dependency from a trusted source because the skill delegates API calls to it. Finally, keep tokens/IDs out of the repo (the README already warns this) and store them in environment variables or a local-only config file as instructed.
scripts/notion_apply_records.js:99
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b469f8k8evmzpvz7vh47vv184624a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode
EnvNOTION_API_KEY
Primary envNOTION_API_KEY

Comments