ClawHub

Notion 1.0.0

v1.0.0

Notion API for creating and managing pages, databases, and blocks.

0· 516·21 current·27 all-time
by@7revor
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (Notion API client) matches the provided curl examples and operations. However, the metadata declares no required credentials while the instructions clearly require a Notion API key stored at ~/.config/notion/api_key. This mismatch is likely an oversight but is inconsistent.
!
Instruction Scope
SKILL.md instructs the agent/user to create a file in ~/.config/notion and to read that file (NOTION_KEY=$(cat ~/.config/notion/api_key)). The instructions therefore access local filesystem state not declared in metadata and also instruct writing a plaintext secret file without guidance on secure file permissions. Other than the secret file and API calls to api.notion.com, instructions stay within expected Notion usage.
Install Mechanism
No install spec and no bundled code — instruction-only skill — so nothing is written to disk by the platform installer beyond the agent following the prose. This is lowest-risk from an install perspective.
!
Credentials
The skill requires a Notion API key in practice but declares no primary credential or required env vars. The SKILL.md uses a local file containing the secret instead of declaring a secret env var or platform-managed credential. That omission reduces transparency about what credentials will be accessed and how.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. Its only persistent action implied is instructing the user to create a local config file for the API key, which is normal for API clients.
What to consider before installing
This skill is basically a curl-based Notion API recipe and likely safe in intent, but there are a few inconsistencies you should consider before installing: (1) the metadata declares no required credentials while the SKILL.md tells you to create ~/.config/notion/api_key and the agent will read it — confirm you are comfortable storing a Notion key in that file and consider using a platform secret store or environment variable instead; (2) the instructions write a plaintext key file without advising secure file permissions (use chmod 600 or a secrets manager); (3) the package metadata ownerId in _meta.json does not match the registry owner ID — verify the publisher/source (homepage is Notion's docs but source is unknown); (4) because this is instruction-only with no code, the agent will execute only the commands in SKILL.md if invoked, but the missing credential declaration reduces transparency. If you proceed, verify the integration's scopes in Notion and restrict the API key to only the pages/databases you share with it.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ctw63cabe8br8k80s1x9rz181ve3x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📝 Clawdis

Comments