📦 Notion IM Helper — 同步IM消息
v1.7.0通过 Notion API 将即时通讯消息一键同步至 Notion,支持 7 种内容类型、4 种格式、2 类元数据,仅追加写入单页,集中归档聊天记录。
1· 242·0 当前·0 累计
by 下载技能包
最后更新
2026/4/21
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
Before installing, verify the skill author/owner and correct metadata mismatches (registry claims no env vars but the code requires NOTION_API_KEY and NOTION_PARENT_PAGE_ID). Review and test on a non-sensitive Notion page: the skill can upload local files (it will accept any existing file path and attempt to upload it via a notion-upload dependency), so an attacker or a mistaken message could cause arbitrary local files to be uploaded to Notion. Also note the code implements undo (deletes blocks...详细分析 ▾
ℹ 用途与能力
The code and SKILL.md align with the declared purpose: they use the Notion API, accept a Notion token and target page, append blocks, support image upload, search, summary and undo. However the registry metadata at the top of the package claims no required environment variables / primary credential while SKILL.md and config.yaml require NOTION_API_KEY and NOTION_PARENT_PAGE_ID — that mismatch is an incoherence and should be clarified. The ownerId in _meta.json differs from the registry owner listed, which is another metadata inconsistency.
⚠ 指令范围
Runtime instructions and the scripts operate within the Notion domain, but they also access the local filesystem: they read/write a local .pending_batch.json for undo and accept arbitrary local file paths for 'image' uploads. is_local_file_path treats any existing file path as uploadable (no strict extension check), and upload_file will call a third-party notion-upload library to transmit the file — this enables uploading any local file the agent is given a path to (potential data exfiltration if misused). The SKILL.md also contains the contradictory statement 'Never modify or delete existing Notion blocks' while the scripts implement an undo that deletes blocks; clarify intended behavior and limits.
✓ 安装机制
This is an instruction+code bundle with no network download install steps. The only installation step mentioned is 'pip install notion-client' (and notion-upload is conditionally required). No external archives or arbitrary URLs are fetched by the install process in the package itself.
⚠ 凭证需求
The skill legitimately needs NOTION_API_KEY and NOTION_PARENT_PAGE_ID (and optionally NOTION_QUOTES_PAGE_ID). Those are declared in SKILL.md and config.yaml, but the top-level registry summary incorrectly lists 'Required env vars: none' and 'Primary credential: none' — this mismatch is misleading and should be corrected. The number and type of env vars are otherwise proportionate to the stated Notion integration purpose.
ℹ 持久化与权限
The skill does not request elevated platform privileges (always:false). It stores a local .pending_batch.json to support undo, which is a narrow, local persistence. The ability to delete appended blocks (undo) is a normal feature for this use case but increases the potential impact if the skill runs with malicious inputs — consider whether delete permissions should be limited to the skill's own appended blocks.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.7.02026/3/20
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install notion-im-helper
镜像加速npx clawhub@latest install notion-im-helper --registry https://cn.longxiaskill.com