ClawHub

Notion Manager

v0.0.1

Notion CLI for creating and managing pages, databases, and blocks.

7· 4.9k·27 current·27 all-time
by@willykinfoussia
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the actions shown (creating/reading/updating Notion pages/databases). The single required env var NOTION_TOKEN is appropriate. Minor mismatch: SKILL.md/homepage point to the GitHub repo 'litencatt/notion-cli' but the install instruction uses npm package '@iansinnott/notion-cli' (different author/namespace). This could be a harmless fork or documentation mistake but should be verified before installing.
Instruction Scope
Runtime instructions stay within the Notion API/CLI domain (curl examples target api.notion.com and notion-cli commands). However the SKILL.md recommends storing the API key in ~/.config/notion/api_key and reading it into NOTION_TOKEN; the registry metadata declared no required config paths. The instructions therefore reference a local config file path that wasn't declared in metadata — not necessarily malicious but a documentation/consistency issue.
Install Mechanism
This is an instruction-only skill (no install spec or code files), so nothing will be written by the skill itself. The SKILL.md tells the user to run `npm install -g @iansinnott/notion-cli` manually. Because there is no install spec, you should independently verify the npm package identity, author, and trustworthiness (package name/author doesn't match the SKILL.md homepage).
Credentials
Only NOTION_TOKEN is requested as the primary credential, which is proportionate for a Notion CLI skill. Note: the instructions advise storing the token in plaintext at ~/.config/notion/api_key — this is convenient but increases risk if other processes or skills can access your home directory. Prefer using secure secret storage where available and grant the token minimal scopes (only the integration access needed).
Persistence & Privilege
The skill does not request permanent presence (always is false) and does not modify other skills or system-wide settings. Model invocation is allowed (default) which is normal for user-invocable skills. No elevated persistence or hidden autorun behavior is present in the files provided.
What to consider before installing
This skill appears to do what it says (manage Notion via a CLI) and only asks for NOTION_TOKEN, which is expected. Before installing or using it: 1) Verify the npm package author and package name (@iansinnott/notion-cli) match a trusted source or the GitHub repo you expect (the SKILL.md homepage points to litencatt/notion-cli — check which is correct). 2) Avoid storing your token in plaintext if possible; use your platform's secret manager or at least restrict filesystem access and rotate the token after testing. 3) Limit the integration's access to only the pages/databases needed. 4) If you see unexpected network endpoints, or if the npm package author differs from the GitHub repo, do not install until you confirm the package's provenance. If you want, I can help check the npm package and GitHub repo for authorship and recent release metadata.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ajfcgehy089wsdqhbz3fp4580g740

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📓 Clawdis
EnvNOTION_TOKEN
Primary envNOTION_TOKEN

Comments