ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Notion

v0.1.0

Notion API for creating and managing pages, databases, blocks, relations, rollups, and multi-workspace profiles via the notioncli CLI tool.

0· 867·0 current·0 all-time
by@jordancoin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes a Notion CLI (create/update/delete pages, query DBs, comments, users) and declares NOTION_API_KEY and an npm install of @jordancoin/notioncli — which is appropriate for this purpose. However, the registry metadata above says 'Required env vars: none' and 'No install spec', which contradicts the SKILL.md. Also SKILL.md expects npm to be available but the skill doesn't declare npm as a required binary.
Instruction Scope
The runtime instructions stay within Notion management (listing DBs, creating/updating pages, comments). They instruct running 'notion init --key $NOTION_API_KEY' which will 'save your API key' and auto-discover databases. The SKILL.md does not say where or how the key is stored (file path, encryption), which is a privacy/security detail worth verifying.
!
Install Mechanism
Install is via npm global package (@jordancoin/notioncli) referenced in SKILL.md metadata. Installing a global npm package is a moderate risk: it runs third-party code on your system. The registry claims 'no install spec', yet SKILL.md provides an npm install command and an install.sh file exists in the bundle — this packaging inconsistency increases risk because it's unclear which install path the marketplace expects to run.
Credentials
NOTION_API_KEY is the single credential the CLI needs and is proportional to the functionality. But the marketplace metadata omitted that requirement, and SKILL.md's 'init' will persist the key locally without describing storage/permissions. You should ensure the API key has minimal scopes and confirm where the key is saved.
Persistence & Privilege
No 'always: true' and no special persistent privileges are requested. Model invocation settings are default (model can invoke), which is typical for a user-invoked integration.
What to consider before installing
This appears to be a legitimate Notion CLI skill, but verify a few things before installing: 1) Confirm the npm package author (@jordancoin) and review the package source (the GitHub repo) to ensure it's the expected code. 2) Check where 'notion init' stores your NOTION_API_KEY and whether it's encrypted or stored plaintext; prefer storing keys in a secure vault. 3) Limit the API key's scopes to only the databases/workspaces needed. 4) Because the registry metadata contradicts the SKILL.md (env/install omissions) and an install.sh is present, prefer installing in a controlled environment or inspect the install.sh contents first. If you are not comfortable inspecting code, avoid global npm installs from unverified publishers.

Like a lobster shell, security has layers — review code before you run it.

latestvk97df6yp0kpkekr8wd2nt7v0md80xd11

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📝 Clawdis
EnvNOTION_API_KEY
Primary envNOTION_API_KEY

Comments