Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Gemini Deep Research → Notion
v1.1.0Trigger Gemini Deep Research via browser and save results to Notion. Use when the user asks to "deep research" a topic, says "gemini deep research", or wants...
⭐ 0· 102·0 current·0 all-time
byAndy Xie@palmpalm7
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The declared purpose (trigger Gemini Deep Research and export to Notion) matches the instructions, but the skill metadata lists no required env vars or config paths while the SKILL.md explicitly requires reading a Notion API key from ~/.config/notion/api_key and using a browser profile. README also claims it 'runs as a subagent' while SKILL.md mandates running in the main session — a direct contradiction. The hard-coded Notion parent page ID in SKILL.md is another oddity (the README tells the user to update it). These mismatches indicate sloppy or incomplete packaging and require clarification.
Instruction Scope
SKILL.md instructs the agent to (a) open the managed OpenClaw browser profile, interact with the Gemini web UI, and save the conversation URL, (b) sleep/poll for up to ~30 minutes (exec sleep), (c) extract content from DOM elements in chunks, write the concatenated report to /tmp/deep_research_<timestamp>.md, and (d) call the Notion API via curl. Reading ~/.config/notion/api_key is explicitly required. These actions are within the stated purpose but the SKILL.md reads local secret files and writes temporary files without those accesses being declared in the metadata — a scope and transparency issue.
Install Mechanism
No install spec is provided and there are no code files — this is an instruction-only skill. That is the lowest-risk install mechanism (nothing is downloaded or written during install).
Credentials
The skill metadata declares no required environment variables or config paths, but SKILL.md expects a Notion API key (reads ~/.config/notion/api_key) and uses $NOTION_KEY in the curl command. Asking to read a local secret file is sensitive but reasonable for Notion export — however it should be declared explicitly (and use a single consistent method: file or env). The hard-coded parent page ID may cause unexpected behavior if the user doesn't update it. Overall, requested secrets/access are plausible for the feature but the omission from metadata is a red flag.
Persistence & Privilege
always:false and no system-wide changes are requested. The skill requires running in the main session (to access the browser), which increases its runtime privileges compared to a subagent but is functionally necessary for browser automation. The README's claim that it runs as a subagent contradicts the SKILL.md requirement to run in the main session and should be corrected.
What to consider before installing
Before installing, verify and fix the inconsistencies: (1) Confirm you are comfortable letting the skill read a local Notion API key — SKILL.md reads ~/.config/notion/api_key and uses $NOTION_KEY in requests; place a dedicated, least-privilege Notion integration token there if you proceed. (2) Update the hard-coded Notion parent page ID in SKILL.md to a page you control (the README mentions this but the skill ships with a default UUID). (3) Decide whether you accept the main-session requirement (the skill will drive the managed browser and may run for ~25–30 minutes, using exec sleep and writing /tmp files). (4) Prefer the skill explicitly declare required env vars/config paths in metadata; ask the publisher to correct the README contradiction (subagent vs main session). If you cannot confirm these items or trust the source, do not install. If you proceed, use a Notion token with minimal scope and monitor created pages during the first run.Like a lobster shell, security has layers — review code before you run it.
latestvk97dhswygc9nnamcgs4byc9gcx836gr7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.