Notcrawl
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Notcrawl appears purpose-aligned for searching and refreshing Notion archives, but it installs an external Go binary and may access local Notion data or a Notion API token.
This skill looks coherent for Notion archive search and freshness checks. Before installing, make sure you trust the upstream GitHub Go package, understand that local Notion archive content may be read into the agent context, and use a limited Notion token if you enable API sync.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The behavior of the installed binary depends on the current upstream package, not only on the visible SKILL.md instructions.
The skill installs an external Go binary using an unpinned @latest module, while no source code for that binary is included in the reviewed artifacts.
go | module: github.com/openclaw/notcrawl/cmd/notcrawl@latest | creates binaries: notcrawl
Install only if you trust the upstream repository, and prefer a pinned version or reviewed release when possible.
If provided, the Notion token may allow the tool to read Notion content available to that integration.
The skill may use a Notion API token for workspace access. This is expected for Notion API sync, but it is sensitive account authority.
API mode requires `NOTION_TOKEN`; do not assume token availability.
Use a least-privilege Notion integration token and only enable API sync for workspaces you intend the agent to access.
Private Notion content could be surfaced into the agent conversation when relevant to a user request.
The skill is designed to retrieve and use local Notion archive content as context, which may include private pages, databases, titles, dates, and workspace information.
Use local Notion archive data before browsing or live Notion API calls.
Install only for Notion archives you are comfortable letting the agent search, and avoid storing highly restricted pages in the accessible archive.
The agent can inspect archive data through SQL-style queries, which is useful but may reveal sensitive archived content.
The skill exposes SQL querying over the archive, but explicitly scopes it to read-only use and gives a count-query example.
notcrawl sql "select count(*) from pages;" ... Use read-only SQL only; never mutate the archive.
Keep SQL use read-only as instructed, and review outputs before sharing them outside the conversation.