Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Notion 想法点子库 + 里程碑追踪
v1.1.0Notion API for creating and managing pages, databases, and blocks. Also includes 想法点子库(💡)持久化 workflow,当用户说"入库"、"记录这个想法"、"这个先记下来"、"持久化这个"时触发。
⭐ 0· 19·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (Notion idea + milestone tracker) match the included scripts and SKILL.md: both implement create/update flows against specific Notion database IDs and require a Notion API key. Minor inconsistencies: _meta.json ownerId/version differ from registry metadata (ownerId and version mismatch), which could indicate packaging/version drift or mis-upload.
Instruction Scope
Runtime instructions are scoped to reading a local API key (~/.config/notion/api_key), building JSON properties, prompting the user for confirmation, and calling the Notion API (api.notion.com). The scripts do not reference unrelated system files or external endpoints beyond Notion. They use curl via subprocess to talk to the Notion API and expect JSON responses.
Install Mechanism
No install spec — instruction-only with bundled scripts. No downloads or archive extraction. This has low install risk because nothing external is fetched during install.
Credentials
The skill requires a Notion integration key stored at ~/.config/notion/api_key, but the package metadata declares no primary credential or required env vars/binaries. The scripts also implicitly require curl and python3 to be available. The omission of a declared primary credential (Notion API key) and required binaries is an inconsistency that should have been declared.
Persistence & Privilege
always:false and no special persistence or modification of other skills. The skill does not request elevated or permanent platform privileges beyond autonomous invocation (disable-model-invocation is false, which is normal).
What to consider before installing
This skill appears to implement the described Notion idea + milestone tracking flows and only talks to api.notion.com, but there are a few red flags to verify before installing:
- Verify the origin and integrity: _meta.json ownerId/version differ from the registry metadata; confirm you trust the publisher and that the files haven't been tampered with.
- The skill needs a Notion integration key stored at ~/.config/notion/api_key but the package metadata does not declare this credential; create a dedicated Notion integration with minimal scopes (pages/databases) and use that key. Do not reuse broad org or admin keys.
- The scripts invoke curl via subprocess; ensure curl/python3 exist and inspect the scripts yourself (they are short and readable) to confirm there are no hidden endpoints or behaviors. Running them in a limited user account or sandbox first is prudent.
- If you want stricter hygiene, ask the publisher to update metadata to declare the primary credential and required binaries, and to resolve the owner/version mismatch.
If you cannot verify the publisher or the mismatches, treat the package as untrusted and avoid installing it into accounts with sensitive Notion scopes.Like a lobster shell, security has layers — review code before you run it.
latestvk9774c2tw92957t75mps65mrzd849b1v
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📝 Clawdis