ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Wechat Mp To Notion

v0.1.0

Fetch WeChat public account (微信公众号) articles from mp.weixin.qq.com links and save them into Notion as structured pages. Use when the user wants to archive a...

0· 55·0 current·0 all-time
by@opoojkk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The script and SKILL.md match the stated purpose: they fetch mp.weixin.qq.com article HTML, parse content and images, and create Notion pages via api.notion.com. However the registry metadata lists no required environment variables or primary credential while the SKILL.md and the code clearly require a Notion API token. This mismatch is an incoherence in the metadata (not necessarily malicious, but important).
Instruction Scope
Runtime instructions are narrowly scoped: run the included Python script with a WeChat URL and a Notion parent ID. The script only fetches the provided WeChat URL and calls Notion's API (api.notion.com). It does not attempt to read arbitrary local files or contact other external endpoints beyond the article host and Notion.
Install Mechanism
There is no install spec (instruction-only + included script). No external installers, unusual download URLs, or archive extraction are present. The script will run from the skill workspace; this is low-risk from an install-mechanism perspective.
!
Credentials
The registry declares no required environment variables, but SKILL.md and the code require a Notion API token (NOTION_API_KEY or NOTION_TOKEN). That secret is necessary for the stated functionality, so the absence in registry metadata is a governance/information omission. The script requests only that Notion credential (no unrelated secrets), which is proportional — but the metadata inconsistency should be fixed so users know which secret will be used and stored by the agent.
Persistence & Privilege
always is false and the skill does not request permanent system presence or modify other skills. Its actions are confined to network calls that create pages in the user's Notion workspace (using the provided token).
What to consider before installing
This skill appears to do what it says: download a public WeChat article and create a Notion page. Before installing: (1) be aware you must provide a Notion token (NOTION_API_KEY or NOTION_TOKEN). The registry metadata currently omits this — ask the publisher to declare the required env var and primary credential. (2) Only grant the token the minimal scope needed for creating pages and ensure the target page/database is shared with the integration. (3) Inspect the included Python script yourself (or have someone you trust do so) to confirm it matches your expectations; it performs network requests to mp.weixin.qq.com and api.notion.com and does not otherwise exfiltrate data. (4) If you plan to run this in a shared/production environment, prefer a token scoped to a dedicated Notion integration and not a broad user token.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f0hp5198d6nn1tc55xyy1ts83gq4h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments