← 返回 Skills 市场
Shopee to Notion Sync
作者
Carine Bertagnolli Bathaglini
· GitHub ↗
· v1.0.0
· MIT-0
88
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install shopee-to-notion-sync
功能描述
Sync Shopee products into Notion using the local Node.js workflow only.
安全使用建议
This skill's behavior generally matches its name — it calls the Shopee affiliate GraphQL endpoint and the Notion API to create/update pages. Before installing or running it:
- Treat the registry metadata as incomplete: the script requires SHOPEE_APP_ID, SHOPEE_SECRET, NOTION_TOKEN, and NOTION_DATABASE_ID (put them into a dedicated env file or export them at runtime).
- Inspect the .env file at /data/.openclaw/workspace-sales/.env (or change jobs/config.js) — the script will load that exact path, which could expose other workspace secrets; run the skill in an isolated workspace or modify config.js to use a skill-local .env or explicit env vars.
- Verify the Notion token's scope (least privilege) and the Shopee credentials before granting them.
- Run npm install in a controlled environment and review the dependencies (axios, dotenv are expected).
If you want higher assurance, ask the author to: (a) declare required env vars in the registry metadata, (b) remove the hard-coded absolute dotenv path or make it configurable, and (c) document exactly what is stored in the workspace .env so you can confirm no unrelated secrets will be read.
功能分析
Type: OpenClaw Skill
Name: shopee-to-notion-sync
Version: 1.0.0
The skill facilitates syncing Shopee products to Notion via a Node.js script, but it contains a vulnerability in jobs/shopee-client.js where the search keyword is directly interpolated into a GraphQL query string without sanitization, allowing for potential GraphQL injection. Additionally, the command template provided in SKILL.md (node jobs/sync-shopee-notion.js "<keyword>" ...) presents a shell injection risk if the AI agent fails to properly escape user-provided input. While the code appears to be a legitimate integration and lacks evidence of intentional malice or data exfiltration, these security flaws meet the criteria for a suspicious classification.
能力标签
能力评估
Purpose & Capability
The code implements Shopee search + Notion upsert which matches the skill description. However the registry metadata declares no required environment variables despite the code and README clearly requiring SHOPEE_APP_ID, SHOPEE_SECRET, NOTION_TOKEN, and NOTION_DATABASE_ID — this mismatch is unexpected and reduces trust/clarity.
Instruction Scope
SKILL.md restricts execution to the included Node script and forbids scraping/web search; the script follows that. But jobs/config.js uses dotenv.config with a hard-coded absolute path (/data/.openclaw/workspace-sales/.env) — the runtime will read that specific workspace .env file, which may contain other agent secrets; this expands the scope of what the skill can access beyond its own folder.
Install Mechanism
No install spec is provided (instruction-only install), but package.json and package-lock.json indicate normal npm deps (axios, dotenv). There are no external download URLs or extraction steps in the skill itself. Expect the user to run npm install manually.
Credentials
The code requires Shopee API credentials and a Notion token/database id — those are proportionate to the stated purpose. However: (1) the skill registry lists no required env vars (incoherent), and (2) the hard-coded dotenv path may surface additional environment variables from the workspace (possible unintended access to unrelated secrets).
Persistence & Privilege
The skill does not request 'always: true' or other elevated persistent privileges, and it does not modify other skills or system-wide settings. Autonomous invocation is allowed by default but not combined with other high-privilege requests.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install shopee-to-notion-sync - 安装完成后,直接呼叫该 Skill 的名称或使用
/shopee-to-notion-sync触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of Shopee-Notion Sync skill:
- Enables syncing Shopee products into Notion using a local Node.js workflow.
- Supports searching, saving, updating, and syncing Shopee product data directly to Notion tables.
- Enforces use of a single Node.js command; prohibits use of web, browser, curl, Python, shell scripts, scraping, or generated data.
- Sets default target as `shopee_produtos` and default limit as `10`.
- Response includes only: keyword used, target used, created, updated, and failed counts.
元数据
常见问题
Shopee to Notion Sync 是什么?
Sync Shopee products into Notion using the local Node.js workflow only. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 88 次。
如何安装 Shopee to Notion Sync?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install shopee-to-notion-sync」即可一键安装,无需额外配置。
Shopee to Notion Sync 是免费的吗?
是的,Shopee to Notion Sync 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Shopee to Notion Sync 支持哪些平台?
Shopee to Notion Sync 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Shopee to Notion Sync?
由 Carine Bertagnolli Bathaglini(@cbbathaglini)开发并维护,当前版本 v1.0.0。
推荐 Skills