← Back to Skills Marketplace
485
Downloads
0
Stars
5
Active Installs
2
Versions
Install in OpenClaw
/install x-to-notebooklm
Description
中文:将 X (Twitter) 文章解析并上传到 NotebookLM。使用 r.jina.ai 抓取内容,自动创建 Notebook 并上传文章。 English: Parse X (Twitter) articles and upload to NotebookLM. Uses r.jina.ai to f...
Usage Guidance
This skill largely does what it claims, but review and mitigate two practical risks before use: (1) Command injection — the script uses execSync and interpolates the provided URL into shell commands. Do not run it on untrusted URLs; consider patching the script to validate/encode URLs (or use child_process.spawn with args array) before execution. (2) Temporary file handling — the script leaves temp files after successful uploads; if content is sensitive, delete temp files or modify the script to unlink them after use. Also ensure the NotebookLM CLI binary (NOTEBOOKLM_CLI_PATH) you point to is the authentic, trusted implementation. If you are not comfortable auditing or patching the script, run it in a restricted/sandboxed environment or avoid installing.
Capability Analysis
Type: OpenClaw Skill
Name: x-to-notebooklm
Version: 1.0.1
The skill contains a critical shell injection vulnerability in `scripts/x-to-notebooklm.mjs` due to the use of `execSync` with unsanitized user-controlled inputs (specifically the `url`, `notebookName`, and `notebookId` parameters). While the script's logic aligns with its stated purpose of fetching content via `r.jina.ai` and uploading to NotebookLM, the lack of input sanitization allows for arbitrary command execution if a crafted URL or notebook name is provided. No clear evidence of intentional malice, data exfiltration, or obfuscation was found.
Capability Assessment
Purpose & Capability
Name/description match behavior: the skill fetches X (Twitter) content via r.jina.ai and uses a NotebookLM CLI to create notebooks and upload content. The declared optional env vars (NOTEBOOKLM_DEFAULT_NOTEBOOK, X_TO_NOTEBOOKLM_VERBOSE, NOTEBOOKLM_CLI_PATH) map to behavior in the code.
Instruction Scope
The runtime instructions and the bundled script invoke shell commands (curl and node on an external notebooklm CLI) with user-supplied URL interpolated into shell strings. execSync is used to run commands, and user-controlled URL is placed inside a quoted shell command without strong sanitization — this creates a real command-injection risk if an attacker or malformed URL contains shell metacharacters. The script also writes content to a temp file and does not delete that temp file after successful upload (only on error), contradicting the README/REPORT claim that temp files are auto-cleaned.
Install Mechanism
No install spec — instruction-only plus a bundled Node script. No downloads from untrusted URLs or package installs. Risk surface is limited to local execution of the included script and calling the NotebookLM CLI.
Credentials
The skill requests no secrets and relies on the NotebookLM CLI for authentication (user-run login). It reads a few environment variables (NOTEBOOKLM_CLI_PATH, NOTEBOOKLM_DEFAULT_NOTEBOOK, X_TO_NOTEBOOKLM_VERBOSE, HOME) that are reasonable for configuration. However, allowing NOTEBOOKLM_CLI_PATH to point to an arbitrary script gives an attacker who can control that path a way to run arbitrary code — this is a configuration-time risk to be aware of.
Persistence & Privilege
always:false and no system-wide changes. The skill does not request permanent platform privileges or modify other skills' configs. It executes as a user-run CLI wrapper, which is expected.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install x-to-notebooklm - After installation, invoke the skill by name or use
/x-to-notebooklm - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
Add Chinese-English bilingual support / 添加中英双语支持
v1.0.0
Initial release of x-to-notebooklm.
- Enables parsing X (Twitter) articles and uploading them to Google NotebookLM.
- Uses r.jina.ai to extract content without requiring an API key.
- Automatically creates or selects a Notebook in NotebookLM, and uploads the article as a Source.
- Provides command-line options for notebook name, existing notebook ID, and verbose output.
- Includes troubleshooting for authentication, content extraction limits, and upload issues.
- Requires NotebookLM CLI and Node.js.
Metadata
Frequently Asked Questions
What is X To Notebooklm?
中文:将 X (Twitter) 文章解析并上传到 NotebookLM。使用 r.jina.ai 抓取内容,自动创建 Notebook 并上传文章。 English: Parse X (Twitter) articles and upload to NotebookLM. Uses r.jina.ai to f... It is an AI Agent Skill for Claude Code / OpenClaw, with 485 downloads so far.
How do I install X To Notebooklm?
Run "/install x-to-notebooklm" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is X To Notebooklm free?
Yes, X To Notebooklm is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does X To Notebooklm support?
X To Notebooklm is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created X To Notebooklm?
It is built and maintained by nicoxia (@nicoxia); the current version is v1.0.1.
More Skills