ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Notion IM Helper

v1.5.1

Sync IM messages to Notion via Notion API. Supports 7 content types, 4 formats, 2 metadata types. Append-only to a single Notion page.

1· 113·0 current·0 all-time
by@70asunflower
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The scripts and SKILL.md implement exactly the stated purpose (append-only Notion syncing). However the registry header/metadata claims 'Required env vars: none' and 'No install spec / instruction-only' while config.yaml and SKILL.md declare NOTION_API_KEY and NOTION_PARENT_PAGE_ID and the code requires Python and the notion-client package. This mismatch is packaging/information incoherence (not necessarily malicious).
Instruction Scope
SKILL.md instructs running the included Python scripts and the scripts only call Notion's API (api.notion.com). The runtime instructions map directly to the scripts' commands and the scripts only read env vars related to Notion, perform appends, reads, search, and an undo (delete last block). No unrelated files, system paths, or external endpoints are accessed.
Install Mechanism
There is no formal install spec in the registry, but SKILL.md and config.yaml tell users to 'pip install notion-client'. The code is Python and will require Python and the notion-client package; lack of a formal install declaration in the registry is an inconsistency but the install itself (pip install notion-client) is a standard, low-to-moderate risk action.
Credentials
The only secrets the skill needs are NOTION_API_KEY and NOTION_PARENT_PAGE_ID (and an optional NOTION_QUOTES_PAGE_ID). Those are appropriate for a Notion integration. The inconsistency is that the registry's top-level metadata omitted declaring these required env vars while config.yaml and SKILL.md correctly list them.
Persistence & Privilege
Skill flags are standard (always: false, agent-autonomous invocation allowed). The skill does not request permanent system-wide privileges, does not modify other skills, and does not write unexpected files or persist credentials beyond reading environment variables.
What to consider before installing
This skill's code implements an append-only Notion sync and legitimately needs a Notion integration token (NOTION_API_KEY) and the target page ID. Before installing: 1) Verify you are comfortable providing a Notion integration token (prefer creating a token with the minimum necessary page access). 2) Note the registry metadata is inconsistent — the package claims 'no env vars' but the SKILL.md and config.yaml require NOTION_API_KEY and NOTION_PARENT_PAGE_ID; treat that as a packaging oversight. 3) Review scripts (already included) yourself for peace of mind — they call only api.notion.com and perform appends, searches, and a single-block undo. 4) Install in a controlled environment (or test workspace/page) and run check_config.py first. 5) If you need stronger assurance, ask the publisher for a homepage or provenance; absence of a listed homepage/maintainer increases the risk that packaging mistakes could hide problems.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dv7bavxff9wbagfsv39m1n5845r9e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Notion IM Helper

通过消息自动同步内容到 Notion。支持日记、笔记、待办、想法、问题、链接、摘抄 7 种类型。

Environment Variables

  • NOTION_API_KEY - Notion Integration Token
  • NOTION_PARENT_PAGE_ID - Target Notion Page ID (32 chars)
  • NOTION_QUOTES_PAGE_ID (optional) - Separate page for quotes

Setup

  1. pip install notion-client
  2. Set env vars: NOTION_API_KEY and NOTION_PARENT_PAGE_ID
  3. Authorize integration on Notion page (··· > Connect to)

Usage

When the user sends a message matching a trigger pattern, execute the corresponding script:

python scripts/record.py record --type {type} "{content}"
python scripts/record.py heading --level {1|2|3} "{text}"
python scripts/record.py divider
python scripts/record.py list --kind {bullet|number} "{items}"
python scripts/record.py toggle "{json}"
python scripts/record.py undo
python scripts/check_config.py
python scripts/daily_summary.py {daily|weekly|quote}

Trigger Rules

Content types (prefix → type):

  • 日记: / 今天: / riji: / d → diary
  • 笔记: / 学习: / note: / n → note
  • 待办: / todo: / t → todo
  • done: / 完成: / → done
  • 想法: / 灵感: / idea: / flash: / 闪念: / i → idea
  • 问题: / 疑问: / q: / q → question
  • 摘抄: / quote: / qu: / z → quote
  • 链接: / link: / url: / l → link

Formats:

  • * text → H1 heading
  • ** text → H2 heading
  • *** text → H3 heading
  • > text → quote block
  • --- → divider
  • - text → bulleted list
  • 1. text → numbered list

Commands:

  • 日报 / daily / 今日 / today → show today's records
  • 周报 / weekly → weekly summary
  • 摘抄 / 随机摘抄 → random historical entry
  • 搜: xxx / search: xxx → search records by keyword
  • 撤回 / undo → delete last block
  • 配置检查 / check config → verify config

Smart detection (no prefix, AI infers):

  • Pure URL → link
  • Starts with YYYY-MM-DD → diary
  • Contains [ ] → todo
  • Default → idea

Output Protocol

Scripts emit standardized output prefixes:

  • OK|message → success, relay success message to user
  • ERROR|CONFIG → guide user to set up Notion integration
  • ERROR|AUTH → invalid API key or page not authorized
  • ERROR|RATE_LIMIT → tell user to wait
  • ERROR|NETWORK → tell user to retry later

Always run check_config.py first on first use. Never modify or delete existing Notion blocks.

Files

9 total
Select a file
Select a file to preview.

Comments

Loading comments…