Scan Report
5 /100
diy-pc-ingest
Ingest pasted PC parts purchase/config text into Notion DIY_PC tables
A legitimate PC parts inventory ingestion tool for Notion with transparent behavior, declared dependencies, and no malicious indicators.
Safe to install
This skill is safe to use. No security concerns identified.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Network | READ | READ | ✓ Aligned | Scripts only call Notion API |
| Filesystem | NONE | NONE | — | No file writes, only reads local config |
| Shell | WRITE | WRITE | ✓ Aligned | execFileSync calls notionctl.mjs (declared in metadata) |
| Environment | READ | READ | ✓ Aligned | Reads NOTION_API_KEY and NOTION_VERSION |
2 findings
Medium External URL 外部 URL
https://www.notion.so/my-integrations README.md:32 Medium External URL 外部 URL
https://api.notion.com/v1 scripts/_deprecated/notion_apply_records.py:29 File Tree
6 files · 51.9 KB · 1456 lines Python 1f · 576L
JavaScript 1f · 485L
Markdown 3f · 363L
JSON 1f · 32L
├─
▾
references
│ ├─
config.example.json
JSON
│ └─
notion-ids.md
Markdown
├─
▾
scripts
│ ├─
▾
_deprecated
│ │ └─
notion_apply_records.py
Python
│ └─
notion_apply_records.js
JavaScript
├─
README.md
Markdown
└─
SKILL.md
Markdown
Dependencies 2 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
node (binary) | any | system | No | Declared required dependency |
notion-api-automation (skill) | latest | clawhub | No | Declared skill dependency |
Security Positives
✓ No obfuscation or encoded payloads detected
✓ No credential exfiltration - API key used only for Notion API calls
✓ No reverse shell, C2 communication, or data theft patterns
✓ Network access limited to declared Notion API endpoint
✓ Shell execution is minimal and controlled (execFileSync for notionctl)
✓ Local config files (~/.config) are legitimate for skill configuration
✓ Web enrichment is optional and user-controlled
✓ All Notion IDs passed as CLI arguments (not hardcoded)