← 返回 Skills 市场
Notion IM Helper
作者
70asunflower
· GitHub ↗
· v1.7.1
· MIT-0
323
总下载
1
收藏
0
当前安装
7
版本数
在 OpenClaw 中安装
/install notion-im-helper
功能描述
Sync IM messages to Notion via Notion API. Supports 7 content types, 4 formats, 2 metadata types. Append-only to a single Notion page.
安全使用建议
What to check before installing: 1) Be aware the skill DOES require NOTION_API_KEY and NOTION_PARENT_PAGE_ID (despite the top-level registry listing saying none) — set those as environment variables and use a test Notion page first. 2) If you plan to upload local images, the code imports notion-upload (notion_upload) which is not clearly declared in the instructions; inspect that library or avoid local-file uploads. 3) The skill will read/write small local files (.pending_batch.json, and documentation mentions .pending_content.txt) and on Windows attempts to read user environment variables from the registry — be comfortable with those filesystem/registry accesses. 4) The skill supports an 'undo' that deletes blocks via the Notion API; grant it access only to a page you trust and consider testing undo behavior. 5) Owner and metadata inconsistencies (ownerId differences and missing install declarations) are signs of sloppy packaging — if you are risk-averse, request an updated package that corrects the metadata and explicitly lists all runtime dependencies before installing.
功能分析
Type: OpenClaw Skill
Name: notion-im-helper
Version: 1.7.1
The skill bundle provides legitimate Notion integration but contains high-risk capabilities that could be exploited. Specifically, `scripts/record.py` allows the AI agent to upload arbitrary local files to Notion via the `image` command without validating file types or restricting directory paths, which could be used to exfiltrate sensitive files (e.g., SSH keys, configuration files) if the agent is manipulated. Additionally, `scripts/notion_client.py` includes logic to read from the Windows Registry (`HKEY_CURRENT_USER\Environment`), an unusually broad method for retrieving environment variables. While these features support the stated purpose of syncing content and images, the lack of input sanitization and the broad file access qualify as significant security vulnerabilities.
能力标签
能力评估
Purpose & Capability
The code and SKILL.md clearly implement syncing messages to Notion and require NOTION_API_KEY and NOTION_PARENT_PAGE_ID, which are appropriate for the stated purpose. However the registry metadata at the top reported 'Required env vars: none' while config.yaml and SKILL.md declare NOTION_API_KEY and NOTION_PARENT_PAGE_ID (config.yaml even lists primaryEnv). This mismatch between declared registry requirements and the actual code/README is an incoherence that should be resolved.
Instruction Scope
Instructions and scripts read and write local files (e.g., .pending_batch.json and SKILL.md mentions .pending_content.txt), upload local image files to Notion, and support an 'undo' that deletes blocks. Those file/FS and network operations are expected for this skill, but there are documentation contradictions: SKILL.md/CLAUDE.md say 'NEVER modify or delete existing Notion blocks' while the scripts implement delete_last_block/undo behavior. The caption workflow writes temporary files and the agent must inspect message contents to decide behavior — these are normal but grant the skill filesystem access and the ability to delete content (via undo), so review is recommended.
Install Mechanism
There is no formal install spec (instruction-only), which lowers risk, but the README and code disagree about dependencies. SKILL.md and config.yaml instruct 'pip install notion-client' but the code's upload_file() imports 'notion_upload' (notion-upload) for local file uploads and prints a separate pip install hint if missing. That dependency is not declared in metadata. Missing or undocumented runtime dependencies (especially ones that handle binary uploads) are a practical risk and an incoherence.
Credentials
The required environment variables used in code (NOTION_API_KEY, NOTION_PARENT_PAGE_ID and optional NOTION_QUOTES_PAGE_ID) make sense for Notion integration and are proportional to the functionality. The concerns are: a) the registry listing claimed 'none' which is wrong, and b) the client includes a Windows registry fallback (_get_env using winreg) to obtain env vars — unexpected but plausibly intended. No other unrelated secrets or unrelated service credentials are requested.
Persistence & Privilege
always:false and the skill is user-invocable; it does write a small '.pending_batch.json' file in its scripts directory and may create a '.pending_content.txt' (mentioned in docs). It does not request permanent platform-wide privileges. The ability to delete blocks via the 'undo' command is explicit in functionality and should be considered when granting the skill access to a production page.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install notion-im-helper - 安装完成后,直接呼叫该 Skill 的名称或使用
/notion-im-helper触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.7.1
- Added new scripts for configuration checking, summary, and core operations (recording, searching, etc.).
- Introduced a new "caption" feature with two distinct behaviors:
- Standalone `caption:` messages append content to the last callout as a child paragraph.
- When combined with images/links, `caption:` splits main content from caption text for those blocks.
- Updated trigger rules and usage instructions to include `caption:` and provide detailed handling for captions in image/link messages.
- Clarified content and image/link sync separation, and outlined stricter best practices for AI callers regarding file-based content passing.
- Documented auto-splitting for long content and provided improved guidance for undo and type inference.
v1.7.0
Image upload and batch processing enhancements:
- Added support for uploading images to Notion, with optional captions, from both local files and web URLs.
- Introduced new trigger keywords and script commands for handling images.
- Multi-line messages are now processed in batch, allowing grouped block operations and batch undo within 5 minutes.
- Metadata extraction for tags and projects added via special syntax on the last line.
- Improved undo: batch delete of last group within 5 minutes; otherwise, single block undo.
- Replaced daily/weekly summary with monthly summary in scripts and commands.
v1.5.1
- Added compiled Python cache files for notion_client and record scripts to the codebase.
- No changes to user-facing features or documentation.
v1.5.0
优化了一些功能,修复bug
v1.0.2
notion-im-helper 1.0.2
- 新增 _meta.json 和 project_summary.md 文件,为项目增加元数据和简要概览。
- 无其他功能或脚本变更。
v1.0.1
no code changes; metadata or documentation only
- No file or code changes were detected in this version.
- No functional behavior has changed; this update only includes possible documentation or meta updates.
v1.0.0
notion-im-helper 1.0.0
- 首发版本,支持通过 IM 消息自动同步多种内容到 Notion。
- 支持闪念速记、待办、标题、引用、分割线、有序/无序列表、多级下拉、标签、项目归类等多种格式识别与追加。
- 全部 Notion 操作通过 scripts 目录下 Python 脚本调用,安全可靠,严格禁止删除或修改已有记录。
- 支持消息多行解析和元数据(标签、项目、来源)提取。
- 提供搜索、日报、周报、随机摘抄等只读查询接口。
- 集成完整的首次使用配置引导及人性化出错提示。
元数据
常见问题
Notion IM Helper 是什么?
Sync IM messages to Notion via Notion API. Supports 7 content types, 4 formats, 2 metadata types. Append-only to a single Notion page. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 323 次。
如何安装 Notion IM Helper?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install notion-im-helper」即可一键安装,无需额外配置。
Notion IM Helper 是免费的吗?
是的,Notion IM Helper 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Notion IM Helper 支持哪些平台?
Notion IM Helper 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Notion IM Helper?
由 70asunflower(@70asunflower)开发并维护,当前版本 v1.7.1。
推荐 Skills