Skillv1.0.3

ClawScan security

recall-from-notion · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 4, 2026, 2:37 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior (reading a Notion 'Memory Store' and proactively injecting those memories) matches its description, but it omits declaring its dependency on a Notion integration and asks the agent to access workspace/project state and another skill's SKILL.md — details that should have been explicit and increase the risk surface.
Guidance: This skill will proactively read a Notion database named 'Memory Store' and inject those pages as conversation context. Before installing: (1) Confirm you have a trusted 'notion' integration installed and review that integration's credentials/permissions (this skill relies on it but doesn't declare it). (2) Be aware the skill may read workspace/project state (working directory) and other skill SKILL.md files — ensure the agent's platform access to local files and other skills is acceptable. (3) Verify what content is stored in your 'Memory Store' in Notion; sensitive personal data there will be used automatically when the skill triggers. If you want tighter control, ask the developer to declare the Notion credential requirement and add an explicit opt-in trigger rather than proactive recall.

Review Dimensions

Purpose & Capability: noteThe skill's name/description match what the instructions do (discover a Notion DB named 'Memory Store', search it, fetch pages, and use results as context). However the skill does not declare the dependency it repeatedly references (an external 'notion' skill on OpenClaw or platform MCP tools). That omission is a coherence/packaging issue: the skill requires Notion access but lists no required env vars or explicit dependency.
Instruction Scope: noteInstructions are narrowly focused on locating and reading the 'Memory Store' database and using those pages as conversation context. Two items merit attention: (1) it tells the agent to read the Notion skill's SKILL.md to learn API patterns (it assumes the agent can read other skill files), and (2) for some platforms it recommends detecting the 'current project' from the working directory. Both actions require access to other skill content and local workspace state that are outside the simple 'read a DB' description and should be explicit to users.
Install Mechanism: okInstruction-only skill with no install steps or downloads. This is low risk from an install/execution perspective.
Credentials: concernThe skill itself declares no env vars or primary credential, but it depends on a Notion integration (MCP tools or an external 'notion' skill) that will require credentials. Because this dependency is not declared, users may not realize the skill will cause the agent to access Notion data via other credentials. The skill should explicitly declare that Notion API access is required and list the expected credential/config names.
Persistence & Privilege: okThe skill is not always-enabled and defaults allow autonomous invocation (platform default). That is appropriate for a proactive memory-recall skill; no excessive persistence or cross-skill config changes are requested in the instructions.