ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shopee to Notion Sync

v1.0.0

Sync Shopee products into Notion using the local Node.js workflow only.

0· 59·0 current·0 all-time
byCarine Bertagnolli Bathaglini@cbbathaglini
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code implements Shopee search + Notion upsert which matches the skill description. However the registry metadata declares no required environment variables despite the code and README clearly requiring SHOPEE_APP_ID, SHOPEE_SECRET, NOTION_TOKEN, and NOTION_DATABASE_ID — this mismatch is unexpected and reduces trust/clarity.
!
Instruction Scope
SKILL.md restricts execution to the included Node script and forbids scraping/web search; the script follows that. But jobs/config.js uses dotenv.config with a hard-coded absolute path (/data/.openclaw/workspace-sales/.env) — the runtime will read that specific workspace .env file, which may contain other agent secrets; this expands the scope of what the skill can access beyond its own folder.
Install Mechanism
No install spec is provided (instruction-only install), but package.json and package-lock.json indicate normal npm deps (axios, dotenv). There are no external download URLs or extraction steps in the skill itself. Expect the user to run npm install manually.
!
Credentials
The code requires Shopee API credentials and a Notion token/database id — those are proportionate to the stated purpose. However: (1) the skill registry lists no required env vars (incoherent), and (2) the hard-coded dotenv path may surface additional environment variables from the workspace (possible unintended access to unrelated secrets).
Persistence & Privilege
The skill does not request 'always: true' or other elevated persistent privileges, and it does not modify other skills or system-wide settings. Autonomous invocation is allowed by default but not combined with other high-privilege requests.
What to consider before installing
This skill's behavior generally matches its name — it calls the Shopee affiliate GraphQL endpoint and the Notion API to create/update pages. Before installing or running it: - Treat the registry metadata as incomplete: the script requires SHOPEE_APP_ID, SHOPEE_SECRET, NOTION_TOKEN, and NOTION_DATABASE_ID (put them into a dedicated env file or export them at runtime). - Inspect the .env file at /data/.openclaw/workspace-sales/.env (or change jobs/config.js) — the script will load that exact path, which could expose other workspace secrets; run the skill in an isolated workspace or modify config.js to use a skill-local .env or explicit env vars. - Verify the Notion token's scope (least privilege) and the Shopee credentials before granting them. - Run npm install in a controlled environment and review the dependencies (axios, dotenv are expected). If you want higher assurance, ask the author to: (a) declare required env vars in the registry metadata, (b) remove the hard-coded absolute dotenv path or make it configurable, and (c) document exactly what is stored in the workspace .env so you can confirm no unrelated secrets will be read.

Like a lobster shell, security has layers — review code before you run it.

ecommercevk978zx3ndmzh2dr5gng91zea4984dkdwlatestvk978zx3ndmzh2dr5gng91zea4984dkdwnotionvk978zx3ndmzh2dr5gng91zea4984dkdwshopeevk978zx3ndmzh2dr5gng91zea4984dkdwsyncvk978zx3ndmzh2dr5gng91zea4984dkdw
59downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
Carine Bertagnolli Bathaglini@cbbathaglini
ecommercelatestnotionshopeesync
Download

Shopee Notion Sync

Use this skill for any request involving:

  • searching Shopee products
  • saving Shopee products to Notion
  • updating the Shopee product table in Notion
  • syncing Shopee with Notion

Mandatory rule

For any request covered by this skill, you MUST use only this command:

node jobs/sync-shopee-notion.js "<keyword>" <limit> <target>

Do NOT:

  • use web search
  • use browser tools
  • use curl directly
  • create Python scripts
  • create shell scripts
  • scrape websites
  • write memory files
  • invent product results

Defaults

  • default target: shopee_produtos
  • default limit: 10

Response format

Return only:

  • keyword usada
  • target usado
  • criados
  • atualizados
  • falhas

Examples

  • node jobs/sync-shopee-notion.js "celular" 10 shopee_produtos
  • node jobs/sync-shopee-notion.js "blusas de academia femininas" 10 shopee_produtos

Comments

Loading comments...