Music Weekly

ReviewAudited by ClawScan on May 15, 2026.

Overview

Music Weekly is a coherent music-curation workflow, but it uses a Notion key and can write to Notion and send configured messages, so users should verify the account scope and delivery target.

Before installing, make sure you are comfortable giving the skill a Notion integration key and letting it write to the configured Notion database and messaging destination. Use a dedicated Notion integration with access only to the intended page/database, protect the local config file that stores the key, and verify the delivery channel/target before scheduling automated weekly runs.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI03: Identity and Privilege Abuse

What this means

A Notion token with broad sharing could let the skill add or update data in more Notion content than intended.

Why it was flagged

The skill uses a Notion integration token to create pages in the configured Notion database, which is account-level mutation within the pages shared to that integration.

Skill content

NOTION_KEY = os.environ.get("NOTION_KEY") or CONFIG.get("notion_api_key", "") ... "Authorization": f"Bearer {NOTION_KEY}" ... return _api("POST", f"/databases/{DB_ID}/pages",

Recommendation

Use a dedicated Notion integration shared only with the intended parent page or database, verify the database ID before running, and keep ~/.config/music-weekly/config.json private.

Low

#ASI05: Unexpected Code Execution

What this means

Running setup changes local configuration/state and may create a Notion database if credentials and a parent page are provided.

Why it was flagged

The recommended setup runs local Python code that writes files/directories and may call Notion to create a database; this is disclosed and purpose-aligned, not hidden auto-execution.

Skill content

python3 scripts/setup.py ... 脚本会自动：创建配置文件 ... 创建目录 ... 创建历史记录文件 ... 创建 Notion 数据库

Recommendation

Run the setup script only when you intend to initialize the workflow, review the target paths, and avoid passing credentials on shared shell histories where possible.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

If the delivery target is wrong, recommendations and cover media could be sent to the wrong chat, channel, or account.

Why it was flagged

The workflow sends generated recommendation text and local cover media to an externally configured messaging destination.

Skill content

await message(
    action="send",
    channel=CONFIG["delivery_channel"],
    target=CONFIG["delivery_target"],
    message=text_only,
    media=local_cover_path,
)

Recommendation

Double-check delivery_channel and delivery_target before running automated or cron-based sends.