GitHub Stars Export
WarnAudited by ClawScan on May 18, 2026.
Overview
The skill largely matches its stated GitHub-to-Notion purpose, but its Notion sync handles your Notion token unsafely and can archive existing Notion database entries without a clear confirmation step.
Only use this skill if you are comfortable granting it Notion write access and authenticated GitHub CLI access. Before running it, remove verify=False from the Python script, explicitly pass your intended Notion parent page ID, back up or inspect any existing Notion database referenced in assets/.notion_sync_config.json, and consider running the export step separately before syncing.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone on the network path could potentially impersonate Notion and capture your Notion token or the repository data being synced.
The script places the Notion API key in an Authorization header while disabling certificate verification for Notion API requests, increasing the risk that the token and synced data could be intercepted.
NOTION_TOKEN = os.environ.get("NOTION_API_KEY") ... urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) ... requests.post(url, headers=HEADERS, json=payload, verify=False)Remove all verify=False usage, stop suppressing TLS warnings, require a valid NOTION_API_KEY, and document the minimum Notion integration permissions needed.
If the saved database ID is wrong or the agent runs the sync unintentionally, existing Notion database entries could be archived and disappear from normal views.
On repeat runs, the script archives every page returned from the configured Notion database before inserting fresh rows, with no confirmation prompt or schema/ownership check.
if db_id:
print(f"Found existing database ID in config for '{args.db_name}': {db_id}")
clear_database(db_id) ... requests.patch(patch_url, headers=HEADERS, json={"archived": True}, verify=False)Add an explicit confirmation or dry-run mode before archiving, verify the database schema and creator marker, and only archive pages previously created by this skill.
The sync may try to create a database under an unintended Notion page unless you override the parent ID.
New database creation defaults to a fixed Notion parent page ID that is not explained in SKILL.md, so the destination of writes is not clearly user-selected.
DEFAULT_PARENT_PAGE_ID = "f94aa417-3269-4fa6-a869-dc5b22eb1cca"
...
parser.add_argument("--parent-id", default=DEFAULT_PARENT_PAGE_ID, help="ID of the parent Notion page.")Require the user to provide --parent-id explicitly, document how to choose it, and avoid hardcoded workspace/page identifiers.
You may not realize before install that this skill depends on authenticated gh access, jq, requests, and a Notion API key.
The registry metadata does not surface the runtime dependencies and credential need that the included SKILL.md and agent.yaml describe.
Required binaries (all must exist): none ... Required env vars: none ... Primary credential: none ... Install specifications: No install spec
Update registry metadata to declare gh, jq, the Python requests dependency, and NOTION_API_KEY.
The documentation may give users a misleading impression of how safely credentials are handled.
The documentation makes an unsupported credential-handling claim and calls the token handling secure, while the actual script disables TLS verification for API calls.
The script will securely read your integration token from your environment variables ... (Note: A default fallback key is hardcoded within the script if the environment variable is not set).
Correct the documentation, remove the false fallback-key statement, and avoid describing credential handling as secure until TLS verification is restored.