AutomateLab agency-os
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can update Notion task rows, statuses, logs, and related task/corpus data within the connected workspace.
The skill is explicitly allowed to use MCP tools to change Notion data. This matches the stated purpose, but incorrect commands or bad ID resolution could alter the user's task board.
The skill mutates Notion via the Notion MCP (`mcp__*__notion-*` tools)
Use it only with the intended Notion workspace/database, review task IDs before mutation commands, and keep backups or Notion history available for recovery.
Anyone running the skill with a broad Notion token could give the agent broad access to query and modify permitted Notion content.
The helper script reads a Notion API token from the environment or .env and uses it to call the Notion REST API. This is expected for Notion integration and no token logging or unrelated transmission is shown.
token = load_env_var("NOTION_KEY") ... "Authorization": f"Bearer {token}"Create a Notion integration token scoped only to the needed agency-os pages/databases, store NOTION_KEY securely, and do not commit .env.
If untrusted or stale instructions are placed in Notion task pages, the agent may treat them as task context during execution.
Notion task descriptions and guidance are intentionally loaded into agent context for future work. This is core to the workflow, but content in those pages can influence agent behavior.
When `/agency-os start <id>` runs, the agent's kickoff brief contains: ... Full **Description** body ... General Guidance (this page, full).
Limit who can edit the Notion task board and review task descriptions/guidance before starting work, especially for tasks that involve external accounts or code changes.
A local file under the skill directory may retain summaries and links from Notion tasks after refresh operations.
The script persists a local sidecar containing task IDs, URLs, properties, dependency data, and description previews. This is scoped to the skill but may contain private workspace information.
SIDECAR = SKILL_DIR / "state" / "todo-ids.json" ... "description_preview": desc ... SIDECAR.write_text(json.dumps(payload
Do not put secrets in task descriptions, protect the local .claude directory, and delete the state file if you no longer want local task metadata retained.
If the subagent makes a mistaken Notion update, the main agent may relay the result rather than independently validating it.
The skill uses an explicit orchestrator-to-subagent handoff for Notion mutations and instructs the orchestrator not to independently verify the work. This is disclosed and may avoid duplicate writes, but it is an important trust boundary.
Every `/agency-os <command>` invocation runs on **Sonnet at medium reasoning effort** via a subagent ... Do **not** re-run any step yourself, do not "double-check" the subagent's work.
Review the subagent's output and, for important changes, confirm the resulting Notion state directly.