Back to skill
Skillv2.0.1
ClawScan security
Diy Pc Ingest · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 3:38 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its stated purpose (ingesting PC-part notes into Notion) but the registry metadata omitted required config/credential details and the skill writes a local config; review Notion token usage and local config before installing.
- Guidance
- This skill appears to do what it claims: parse pasted PC part text and upsert rows into Notion. Before installing or running it: - Provide a dedicated Notion integration token (NOTION_API_KEY) with only the necessary DB/page access; do not reuse high-privilege tokens. - Be aware the skill will write ~/.config/diy-pc-ingest/config.json when bootstrapping IDs and may read ~/.config/notion/api_key or other env-vars (DIY_PC_INGEST_CONFIG, NOTION_API_KEY_FILE). Inspect that config and remove any secrets before sharing. - Review scripts/notion_apply_records.js and bootstrap_config.js (they are readable JS) to confirm behavior and to see what fields will be sent to Notion. - If you want to limit network exposure, run the skill in a controlled environment or temporarily restrict the integration's access while testing. - Because registry metadata omitted required env/config declarations, treat the omission as an informational mismatch (not necessarily malicious) and confirm you can supply the required NOTION_API_KEY and local config before enabling the skill.
Review Dimensions
- Purpose & Capability
- noteThe skill is clearly designed to parse/classify user-pasted PC part text and upsert rows into Notion — the bundled JS/Python scripts call the Notion API and use the 2025-09-03 data_sources/pages endpoints as described. However, the registry metadata claims no required environment variables or config paths, while the SKILL.md and scripts require a Notion token (NOTION_API_KEY or NOTION_TOKEN and fallback file NOTION_API_KEY_FILE) and local config (~/.config/diy-pc-ingest/config.json). That mismatch is an administrative/information omission but not malicious.
- Instruction Scope
- okSKILL.md confines runtime behavior to classifying/extracting fields from pasted text, optionally enriching via web_search/web_fetch, asking clarifying questions, and then calling scripts/notion_apply_records.js to upsert into Notion. The scripts themselves are deterministic and only perform Notion queries/patches/creates. There is no instruction to read unrelated sensitive system files or exfiltrate data to unknown endpoints (all network calls target api.notion.com).
- Install Mechanism
- okThere is no install spec (instruction-only skill) and bundled code is plain JS/Python source. No remote downloads or opaque binaries are pulled during install. The only persistence is writing a local config file under the user's home (~/.config/diy-pc-ingest/config.json) via bootstrap behavior.
- Credentials
- noteThe skill requires a Notion integration token (NOTION_API_KEY/NOTION_TOKEN) to function and may read/write local files (NOTION_API_KEY_FILE, DIY_PC_INGEST_CONFIG, and ~/.config/diy-pc-ingest/config.json). Those are proportional to the stated Notion-upsert purpose, but the registry metadata did not declare these required env vars or config paths — verify you supply a dedicated limited-scope Notion integration token and manage the local config carefully.
- Persistence & Privilege
- notealways:false (no forced always-on). The skill will create/overwrite ~/.config/diy-pc-ingest/config.json when bootstrapping Notion IDs if the config is missing, and it will read token files from ~/.config/notion/api_key if used. This is reasonable for convenience but users should be aware of and control that file creation and the token source. The skill does not modify other skills' configs or system-wide settings.