← Back to Skills Marketplace
147
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install siyuan-export
Description
思源笔记文档导出工具。将思源笔记文档导出为 Word(docx) 格式,支持按文档 ID/路径/名称搜索导出,图片自动打包进文档。支持单个文档导出和批量导出子文档。触发词:导出文档、导出 Word、siyuan export、思源导出、批量导出、导出子文档
Usage Guidance
This skill largely does what it promises (export SiYuan notes to .docx) and uses only Python stdlib, but take these precautions before using it: 1) The skill needs your SiYuan API token (SIYUAN_TOKEN) even though the registry metadata doesn't list it — treat that as required and keep the token secret. 2) Prefer keeping SIYUAN_BASE_URL as the default localhost (http://127.0.0.1:6806); do not point it to an unknown remote server (that would let that remote host receive requests authenticated with your token). 3) Review the script yourself or run it in a controlled environment — the script builds SQL queries via string interpolation from user input (search keywords, IDs), which can cause unexpected queries; avoid running it with untrusted or automated inputs unless you sanitize them. 4) Store token via environment variables rather than a plaintext config.json in shared locations. 5) If you need higher assurance, request that the publisher correct the registry metadata to declare required env vars and provide a verified homepage/source, or run the script locally after manual code review.
Capability Analysis
Type: OpenClaw Skill
Name: siyuan-export
Version: 1.0.2
The script `scripts/siyuan_export.py` contains multiple SQL injection vulnerabilities where user-provided inputs (search keywords, document IDs, and paths) are directly interpolated into SQL query strings sent to the local Siyuan Note API. While the tool's functionality aligns with its stated purpose of exporting notes to Word format, these security flaws allow for potential manipulation of the local database. No evidence of intentional malice, such as data exfiltration to external domains or remote code execution, was detected.
Capability Assessment
Purpose & Capability
Name/description match the code and instructions: the script calls SiYuan export and query APIs and writes .docx output. However the registry metadata claims 'required env vars: none' and 'primary credential: none' while both the SKILL.md and the script require an API token (SIYUAN_TOKEN) and may read SIYUAN_BASE_URL / SIYUAN_TIMEOUT. This metadata omission is an inconsistency.
Instruction Scope
SKILL.md stays within the stated purpose (configure token/base URL, call local SiYuan APIs, write docx). The script only reads config.json in the skill directory and environment variables, queries the SiYuan API, and writes export files. A noteworthy point: SQL statements are built by string interpolation with user-supplied values (search keywords, doc IDs), which can allow unexpected/malicious queries against the SiYuan API if untrusted input is provided.
Install Mechanism
No install spec — instruction-only with a Python script relying only on the standard library. Nothing is downloaded or extracted at install time, which lowers installation risk.
Credentials
The skill requires a SiYuan API token and optionally a base URL and timeout (SIYUAN_TOKEN, SIYUAN_BASE_URL, SIYUAN_TIMEOUT), but the registry metadata does not declare these. Requesting an API token is expected for this functionality, but the missing declaration is a transparency issue. Also be aware that if you set SIYUAN_BASE_URL to a remote host (instead of the default localhost), the script will talk to that host using your token — so never point it to an untrusted remote server.
Persistence & Privilege
always:false and the skill does not request persistent platform-level privileges. It does not modify other skills' configuration or system-wide settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install siyuan-export - After installation, invoke the skill by name or use
/siyuan-export - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
- Added config.example.json as a configuration template (including timeout field).
- Added .gitignore file.
- Removed config.json; users are now encouraged to copy and rename config.example.json or use environment variables for configuration.
- Updated documentation to clarify multiple configuration methods and improve usage instructions.
v1.0.1
siyuan-export 1.3.0 introduces new features and usage improvements:
- 新增按文档名称关键字搜索导出功能(`--search` / `-s` 参数)
- 使用方法与参数说明部分加入“搜索导出”用法,并简化参数说明
- 技能描述更新,明确支持按文档 ID/路径/名称搜索导出
- 其他描述文本优化,更突出各项核心特性
v1.0.0
- Initial release of siyuan-export: A tool to export SiYuan documents to Word (.docx) format.
- Supports export by document ID or path; images are embedded into the docx file automatically.
- Offers both single document export and batch export of sub-documents (including nested).
- Provides structured JSON output for easier integration with other tools.
- Requires a running SiYuan instance and user configuration of baseURL and token.
- Pure Python implementation with no external dependencies.
Metadata
Frequently Asked Questions
What is siyuan-export?
思源笔记文档导出工具。将思源笔记文档导出为 Word(docx) 格式,支持按文档 ID/路径/名称搜索导出,图片自动打包进文档。支持单个文档导出和批量导出子文档。触发词:导出文档、导出 Word、siyuan export、思源导出、批量导出、导出子文档. It is an AI Agent Skill for Claude Code / OpenClaw, with 147 downloads so far.
How do I install siyuan-export?
Run "/install siyuan-export" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is siyuan-export free?
Yes, siyuan-export is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does siyuan-export support?
siyuan-export is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created siyuan-export?
It is built and maintained by chim (@chimyves); the current version is v1.0.2.
More Skills