ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Notion Database Automation

v1.0.0

Automate common Notion database operations like batch page creation, data filtering, content generation, and export. Use when you need to automate workflows...

0· 53·0 current·0 all-time
by@potatosolo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The Python scripts call only the Notion API and implement querying, creating, updating (batch_create and export_csv exist), and exporting — which matches the stated purpose. However the documentation references additional artifacts that are not present (templates/ files and a batch_update.py script are mentioned but not included), and the README promises 'AI-generated summary' features that are not implemented and no LLM dependency is present. These mismatches reduce confidence in the package completeness and intent.
!
Instruction Scope
SKILL.md instructs the agent/user to pass a Notion API token (or set NOTION_API_TOKEN) and to share databases with the integration. The runtime instructions and code interact only with Notion endpoints and CSV/JSON files, which is appropriate. However SKILL.md also mentions using OpenClaw secrets and templates that are not shipped; the instructions rely on an environment variable that the registry metadata did not declare. There are minor import/path assumptions (some examples use scripts.notion_client while code uses a top-level notion_client import) that could cause runtime confusion.
Install Mechanism
There is no install spec (instruction-only style) and requirements.txt lists only requests. No external downloads, unknown URLs, or archive extraction are used. This is low-risk from an install mechanism perspective.
!
Credentials
The package requires a Notion API token (NOTION_API_TOKEN) to operate — the code enforces this — but the registry metadata lists no required environment variables or primary credential. That mismatch is important: the skill will need a secret but the manifest doesn't declare it. No other unrelated credentials are requested, which is proportionate, but the omission from metadata and the ability to pass the token via arguments means users should be careful about how they provide the token.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and has no install-time persistence. It runs only when invoked and does not claim or require elevated platform privileges.
What to consider before installing
This package appears to implement Notion database operations and uses only the official Notion API, but there are a few red flags you should consider before installing: - The manifest claims no required env vars, but both the docs and the code require a Notion API token (NOTION_API_TOKEN). Treat this token like any secret: only provide an integration token with minimal scope and share the specific databases with that integration rather than granting workspace-wide privileges. - The SKILL.md mentions files and features that aren't present (templates/ directory, a batch_update.py script, and 'AI-generated summary' behavior). That suggests the package or its documentation is incomplete or out-of-sync. Ask the publisher for the missing files or a corrected manifest if you need those features. - Review the code yourself (or have someone you trust do it) before giving the token to the skill. The scripts only make requests to api.notion.com and read/write CSV/JSON files, which is expected, but you should verify there are no hidden endpoints or additional network calls in other versions. - When testing, use a throwaway Notion integration and database (or limit integration access) so any unexpected behavior is contained. Avoid supplying long-lived or highly privileged tokens until you are confident in the package. If you need higher confidence, request a corrected manifest (declare NOTION_API_TOKEN as a required env var and include missing files) or obtain the package from a trusted source that publishes templates and the full codebase.

Like a lobster shell, security has layers — review code before you run it.

latestvk975tykcwkyncqbmevwnnzfgvn83jkvm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments