← Back to Skills Marketplace
Shopee to Notion Sync
by
Carine Bertagnolli Bathaglini
· GitHub ↗
· v1.0.0
· MIT-0
88
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install shopee-to-notion-sync
Description
Sync Shopee products into Notion using the local Node.js workflow only.
Usage Guidance
This skill's behavior generally matches its name — it calls the Shopee affiliate GraphQL endpoint and the Notion API to create/update pages. Before installing or running it:
- Treat the registry metadata as incomplete: the script requires SHOPEE_APP_ID, SHOPEE_SECRET, NOTION_TOKEN, and NOTION_DATABASE_ID (put them into a dedicated env file or export them at runtime).
- Inspect the .env file at /data/.openclaw/workspace-sales/.env (or change jobs/config.js) — the script will load that exact path, which could expose other workspace secrets; run the skill in an isolated workspace or modify config.js to use a skill-local .env or explicit env vars.
- Verify the Notion token's scope (least privilege) and the Shopee credentials before granting them.
- Run npm install in a controlled environment and review the dependencies (axios, dotenv are expected).
If you want higher assurance, ask the author to: (a) declare required env vars in the registry metadata, (b) remove the hard-coded absolute dotenv path or make it configurable, and (c) document exactly what is stored in the workspace .env so you can confirm no unrelated secrets will be read.
Capability Analysis
Type: OpenClaw Skill
Name: shopee-to-notion-sync
Version: 1.0.0
The skill facilitates syncing Shopee products to Notion via a Node.js script, but it contains a vulnerability in jobs/shopee-client.js where the search keyword is directly interpolated into a GraphQL query string without sanitization, allowing for potential GraphQL injection. Additionally, the command template provided in SKILL.md (node jobs/sync-shopee-notion.js "<keyword>" ...) presents a shell injection risk if the AI agent fails to properly escape user-provided input. While the code appears to be a legitimate integration and lacks evidence of intentional malice or data exfiltration, these security flaws meet the criteria for a suspicious classification.
Capability Tags
Capability Assessment
Purpose & Capability
The code implements Shopee search + Notion upsert which matches the skill description. However the registry metadata declares no required environment variables despite the code and README clearly requiring SHOPEE_APP_ID, SHOPEE_SECRET, NOTION_TOKEN, and NOTION_DATABASE_ID — this mismatch is unexpected and reduces trust/clarity.
Instruction Scope
SKILL.md restricts execution to the included Node script and forbids scraping/web search; the script follows that. But jobs/config.js uses dotenv.config with a hard-coded absolute path (/data/.openclaw/workspace-sales/.env) — the runtime will read that specific workspace .env file, which may contain other agent secrets; this expands the scope of what the skill can access beyond its own folder.
Install Mechanism
No install spec is provided (instruction-only install), but package.json and package-lock.json indicate normal npm deps (axios, dotenv). There are no external download URLs or extraction steps in the skill itself. Expect the user to run npm install manually.
Credentials
The code requires Shopee API credentials and a Notion token/database id — those are proportionate to the stated purpose. However: (1) the skill registry lists no required env vars (incoherent), and (2) the hard-coded dotenv path may surface additional environment variables from the workspace (possible unintended access to unrelated secrets).
Persistence & Privilege
The skill does not request 'always: true' or other elevated persistent privileges, and it does not modify other skills or system-wide settings. Autonomous invocation is allowed by default but not combined with other high-privilege requests.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install shopee-to-notion-sync - After installation, invoke the skill by name or use
/shopee-to-notion-sync - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of Shopee-Notion Sync skill:
- Enables syncing Shopee products into Notion using a local Node.js workflow.
- Supports searching, saving, updating, and syncing Shopee product data directly to Notion tables.
- Enforces use of a single Node.js command; prohibits use of web, browser, curl, Python, shell scripts, scraping, or generated data.
- Sets default target as `shopee_produtos` and default limit as `10`.
- Response includes only: keyword used, target used, created, updated, and failed counts.
Metadata
Frequently Asked Questions
What is Shopee to Notion Sync?
Sync Shopee products into Notion using the local Node.js workflow only. It is an AI Agent Skill for Claude Code / OpenClaw, with 88 downloads so far.
How do I install Shopee to Notion Sync?
Run "/install shopee-to-notion-sync" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Shopee to Notion Sync free?
Yes, Shopee to Notion Sync is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Shopee to Notion Sync support?
Shopee to Notion Sync is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Shopee to Notion Sync?
It is built and maintained by Carine Bertagnolli Bathaglini (@cbbathaglini); the current version is v1.0.0.
More Skills