Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Session Log Analyzer
v1.1.0Analyze agent session logs and generate PDF reports with Notion sync
⭐ 0· 44·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes running python3 scripts to analyze session logs and sync to Notion, which matches the stated purpose. However the published bundle contains no scripts (no scripts/analyze_logs.py or scripts/sync_to_notion.py) and registry metadata at the top of the evaluation says 'Required env vars: none' while SKILL.md lists NOTION_API_KEY and NOTION_REPORTS_DB_ID — these inconsistencies mean the skill as distributed cannot perform its claimed work and the manifest doesn't align with what the skill asks for.
Instruction Scope
Runtime instructions tell the agent to execute local Python programs, read/write files (pdfs/), and rely on environment variables for Notion sync. The SKILL.md does not specify where session logs are stored or how sensitive fields are handled. Crucially, it instructs running scripts that are absent from the bundle; that ambiguity could lead an agent to attempt to fetch code or run other commands to proceed, which broadens scope unpredictably.
Install Mechanism
There is no install specification and no code files — the lowest-risk deployment type. That said, because the instructions reference local scripts that are missing, an agent might attempt to fetch or generate code at runtime; the skill itself does not include an install step, so there is no on-disk installer to inspect.
Credentials
NOTION_API_KEY and NOTION_REPORTS_DB_ID (declared in SKILL.md) are appropriate for Notion synchronization. However the registry metadata supplied elsewhere contradicted this (listed no required env vars), creating inconsistency. Also, the skill's functionality implies access to 'agent session logs' which may contain sensitive information; if you supply Notion credentials, ensure they are scoped minimally and you understand what report contents will be sent to Notion.
Persistence & Privilege
The skill does not request persistent/always-on privileges (always: false) and does not claim to modify other skills or system-wide agent settings. Autonomous invocation is allowed by default but that is normal; no additional privileged persistence is requested.
What to consider before installing
This package is incomplete and inconsistent. Before installing or providing credentials: 1) Ask the publisher for the missing scripts (scripts/analyze_logs.py and scripts/sync_to_notion.py) or a public repository link so you can review the code. 2) Verify that NOTION_API_KEY is a scoped integration token (least privilege) and NOTION_REPORTS_DB_ID is the intended DB; avoid using high-privilege Notion tokens. 3) If the skill must analyze session logs, confirm exactly which files/paths it will read and what fields are included in generated PDFs/Notion entries to avoid leaking secrets. 4) Prefer skills that include their code or link to a trustworthy source; if you must test this skill, run it in a sandboxed environment and monitor network activity. Because the bundle omits its executables and has metadata mismatches, treat it as incomplete/untrusted until the author supplies the missing artifacts or a clear, reviewable source.Like a lobster shell, security has layers — review code before you run it.
latestvk973df93pq63k7t9rssqap97bs84fgy7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.