Skillv1.0.0

ClawScan security

Generate Daily Sports Update · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 4, 2026, 4:20 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The SKILL.md instructions and declared runtime requirements match the stated purpose (fetch sports science data and sync to Notion), but the registry metadata (no required env vars/bins) contradicts the SKILL.md and the instructions are vague in places — this inconsistency and the need to run a user-local script justify caution.
Guidance: Before installing or invoking this skill: (1) Resolve the metadata inconsistency — confirm whether NOTION_TOKEN and NOTION_PAGE_ID and python3 are actually required (the SKILL.md says they are, the registry summary does not). (2) Inspect the actual daily_sports_update.py and requirements.txt on your machine (or the repository referenced in SKILL.md) to ensure the script's behavior is acceptable — specifically review network calls, any file-system operations, and any third-party packages in requirements.txt. (3) Use a Notion integration with least privilege (scoped token) and do not give broader credentials. (4) Run the script in a controlled environment or sandbox first (or with a dry-run) to confirm it only writes the intended processed_history.json and .md files and only sends data to the expected endpoints (api.notion.com and eutils.ncbi.nlm.nih.gov). (5) If you plan to let an agent run commands for you, restrict what tools it can call or require user confirmation before executing shell commands. If the registry owner/source cannot be verified, treat the skill as higher risk.

Review Dimensions

Purpose & Capability: noteThe skill's purpose (run a local crawler script and sync to Notion) aligns with the requirements listed inside SKILL.md: python3, NOTION_TOKEN, and NOTION_PAGE_ID. However, the registry-level metadata provided earlier in the package summary lists no required binaries or env vars, which contradicts SKILL.md. That mismatch is an incoherence to clarify before trusting the skill.
Instruction Scope: noteSKILL.md instructs the agent to run a local Python script (daily_sports_update.py), install requirements from requirements.txt, read/write processed_history.json and produce .md files, and call external services (NCBI and Notion). Those actions are consistent with the stated purpose, but the instructions are somewhat vague about where the script lives ('user's sports-science-daily directory') and implicitly expect the agent to run shell commands via run_command. The vagueness gives the agent broad discretion (e.g., to search the filesystem), so confirm exactly which files/paths will be touched.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files delivered by the skill itself. That minimizes installation risk (nothing is downloaded or extracted by the skill package). The SKILL.md does ask the user to install Python dependencies locally (pip3 -r requirements.txt), which is normal for running a user-owned script.
Credentials: noteThe environment variables referenced in SKILL.md (NOTION_TOKEN and NOTION_PAGE_ID) are appropriate for syncing to Notion. However, the earlier registry summary claimed no required env vars — this contradiction should be resolved. No unrelated credentials are requested in the instructions, which is good.
Persistence & Privilege: okThe skill does not request always:true or any elevated persistent privileges. It does require the ability to run shell commands (run_command) to execute the user's script, which is normal for an instruction that runs a local script.