tool-save-to-notion

Key points to consider before installing: - Metadata mismatch: The registry shows no required env vars, but the SKILL.md and scripts require NOTION_API_KEY. Confirm where you should put the Notion token and ensure the runtime will provide it securely (environment variable NOTION_API_KEY). - Credential scope: Use a Notion integration token limited to only the specific database (6f7bb9cc-...) and minimal write scope. Do not supply a broader account token. - Network fetches: The skill will fetch arbitrary user-provided URLs (HTTP GET) to extract metadata and images. If you run agents in a sensitive environment, be aware this can reach internal or private endpoints (SSRF risk). If needed, restrict outbound network access or sandbox the agent. - Trigger behavior: SKILL.md's language to 'immediately use this skill' for any tool URL is broad. If you allow autonomous skill invocation, the agent may perform many fetches and Notion writes. Consider disabling autonomous invocation for this skill or confirming prompts that trigger it. - Implementation inconsistencies: SKILL.md suggests using Bash/curl and settings.json, but the shipped code is a Python script that reads NOTION_API_KEY from the environment and uses urllib. Verify your runtime can execute the script and that the expected environment matches how you manage credentials. - Verify Database ID and test safely: Confirm the provided database_id is the one you expect. Test with a throwaway Notion token and database to confirm behavior before giving production credentials. If these issues are acceptable (provide the token as an env var, restrict token scope, and control when the skill is invoked), the skill's behavior appears coherent with its stated purpose. If any of the mismatches or the broad automatic-trigger wording worry you, treat the skill as untrusted until corrected.