Is luciorenovato/notion-tasks-blocks safe?

https://github.com/openclaw/skills/tree/main/skills/luciorenovato/notion-tasks-blocks

94
SAFE

notion-tasks-blocks is a minimal, well-scoped Notion API wrapper that manages checklist blocks on a user-specified page. The skill's SKILL.md contains no prompt injection patterns, and the shell script exclusively calls api.notion.com with the user's own token — it reads no sensitive files and downloads no remote code. Canary file access events in the syscall log are attributable to the OpenClaw monitoring framework's pre/post-install baseline scans rather than the skill itself, as confirmed by intact canary file integrity and the identical-millisecond-timestamp batching pattern.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 91/100 · 25%
Code Execution 96/100 · 20%
Clone Behavior 89/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 92/100 · 5%

Findings (4)

INFO Canary file access events attributed to monitoring framework -9

The audit syscall log shows six canary credential files accessed in two tight timestamp clusters (1771905492.508-510 pre-install and 1771905514.729 post-install). Both clusters occur either before the skill was installed or after the session ended, and all six files in the final cluster share an identical millisecond timestamp — consistent with a programmatic baseline sweep by the OpenClaw auditing framework rather than the skill script. The canary integrity check confirms no file was modified or exfiltrated.

LOW curl --data uses unquoted shell variable -4

In the request() function, --data "$data" passes a shell variable directly. This is benign in practice because $data is always produced by node -e which performs JSON serialization, but if the variable were ever populated from unsanitized user input via a different code path it could be a vector.

INFO NOTION_TOKEN visible in curl Authorization header -3

The Notion API token appears in curl -H "Authorization: Bearer $NOTION_TOKEN". With -sS (silent + show errors) it will not appear in normal output. This is standard practice for API integrations and does not constitute a vulnerability.

INFO New listener ports opened by openclaw-gatewa after install -11

The connection diff shows new LISTEN sockets on 127.0.0.1:18790 and 127.0.0.1:18793 owned by the openclaw-gateway process, not the skill. This is normal orchestration infrastructure, not skill behavior.