Back to skill
Skillv2.0.4
ClawScan security
Diy Pc Ingest · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 4, 2026, 12:45 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its stated purpose (ingesting PC part notes into Notion) and only requests the Notion credential and node, but it relies on a separate notion-api-automation tool and has an optional external enrichment step you should be aware of.
- Guidance
- This skill appears to do what it says: parse pasted PC part notes and upsert into your Notion databases. Before installing, confirm you are comfortable granting a Notion integration token (NOTION_API_KEY) limited to the specific databases, and do not give broader privileges than needed. Note two practical items to review: (1) the skill optionally uses web_search/web_fetch for enrichment and that may send product text outside your environment — disable that if you don't want external queries, and (2) the JS script spawns notion-api-automation/scripts/notionctl.mjs; review or install that dependency from a trusted source because the skill delegates API calls to it. Finally, keep tokens/IDs out of the repo (the README already warns this) and store them in environment variables or a local-only config file as instructed.
Review Dimensions
- Purpose & Capability
- okName/description align with implementation: the skill parses pasted purchase/spec text and upserts rows into Notion. Required binary (node) and required env (NOTION_API_KEY) are appropriate and expected for interacting with the Notion API and running the included JS script.
- Instruction Scope
- noteSKILL.md and the scripts only reference parsing local input, reading config under ~/.config/diy-pc-ingest, and calling the Notion API. There is an explicit optional enrichment step (web_search/web_fetch) which may send product text to external web providers; the skill documents this and gives an opt-out. The JS script spawns notion-api-automation/scripts/notionctl.mjs (via execFileSync) to make Notion API calls — so the behaviour also depends on that dependency's code.
- Install Mechanism
- okNo remote download/install spec is present (instruction-only with included scripts). The code in the repo is plain JS/Python; nothing in the manifest pulls arbitrary bytes from unknown URLs. The skill does depend on a sibling ClawHub skill (notion-api-automation) for notionctl.mjs, which the README instructs the user to install via ClawHub.
- Credentials
- okOnly Notion-related secrets are required: NOTION_API_KEY (primary), with optional NOTION_TOKEN / NOTION_API_KEY_FILE and NOTION_VERSION. Those map directly to Notion integration usage. The scripts read local config paths (~/.config/diy-pc-ingest/config.json and optionally a NOTION_API_KEY_FILE) — this is reasonable for a tool that stores Notion IDs and tokens locally.
- Persistence & Privilege
- okalways:false and user-invocable; the skill writes its own config under ~/.config/diy-pc-ingest if you run the bootstrap, which is normal. It does not request global platform privileges or modify other skills' configs.