Article Fetcher(文章抓取+Notion存档)
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If granted broad keys or cookies, the skill can upload to the configured OSS bucket, write to the configured Notion workspace/database, and access logged-in article pages.
The skill asks for OSS keys, a Notion API key/database ID, and optional website cookies. These are sensitive credentials, but they are disclosed and directly support the stated archive workflow.
ALIYUN_OSS_AK=your_ak ... NOTION_API_KEY=secret_xxx ... WECHAT_COOKIES_FILE=~/.cookies/wechat_cookies.txt
Use a dedicated Notion integration limited to the target database, an OSS key limited to the needed bucket/prefix and PutObject/GetObject, and only provide cookie files when needed.
Article content, including content fetched with cookies, may leave the local environment and be processed by the configured LLM provider.
When LLM settings are present, the article text is placed into a prompt and sent to the configured OpenAI-compatible LLM endpoint for keyword extraction.
user_prompt = TAG_EXTRACT_PROMPT.format(content=content) ... response = requests.post(endpoint, headers=headers, json=body, timeout=timeout)
Only enable LLM variables for content you are comfortable sending to that provider; unset LLM_API_KEY/LLM_BASE_URL/LLM_MODEL to use the local keyword fallback.
Running the workflow will contact image hosts and copy article images into your OSS bucket, which may make private or paywalled article images persist outside the original site.
The skill automatically downloads image URLs extracted from the article and uploads the bytes to the configured OSS bucket.
response = requests.get(img_url, headers=headers, timeout=30) ... result = self.bucket.put_object(oss_path, response.content)
Run it only for articles you intend to archive, keep OSS permissions narrow, and consider adding stricter image URL scheme/host validation if using it on untrusted content.
Users have less registry-level assurance about where this package originated.
The registry provenance is not specific to this skill. The supplied requirements are pinned and no remote install script is shown, so this is a provenance note rather than a concern.
Source: unknown; Homepage: https://github.com/openclaw/openclaw
Verify the installed files against a trusted repository or publisher before giving it real Notion, OSS, LLM, or cookie credentials.