← 返回 Skills 市场
485
总下载
0
收藏
5
当前安装
2
版本数
在 OpenClaw 中安装
/install x-to-notebooklm
功能描述
中文:将 X (Twitter) 文章解析并上传到 NotebookLM。使用 r.jina.ai 抓取内容,自动创建 Notebook 并上传文章。 English: Parse X (Twitter) articles and upload to NotebookLM. Uses r.jina.ai to f...
安全使用建议
This skill largely does what it claims, but review and mitigate two practical risks before use: (1) Command injection — the script uses execSync and interpolates the provided URL into shell commands. Do not run it on untrusted URLs; consider patching the script to validate/encode URLs (or use child_process.spawn with args array) before execution. (2) Temporary file handling — the script leaves temp files after successful uploads; if content is sensitive, delete temp files or modify the script to unlink them after use. Also ensure the NotebookLM CLI binary (NOTEBOOKLM_CLI_PATH) you point to is the authentic, trusted implementation. If you are not comfortable auditing or patching the script, run it in a restricted/sandboxed environment or avoid installing.
功能分析
Type: OpenClaw Skill
Name: x-to-notebooklm
Version: 1.0.1
The skill contains a critical shell injection vulnerability in `scripts/x-to-notebooklm.mjs` due to the use of `execSync` with unsanitized user-controlled inputs (specifically the `url`, `notebookName`, and `notebookId` parameters). While the script's logic aligns with its stated purpose of fetching content via `r.jina.ai` and uploading to NotebookLM, the lack of input sanitization allows for arbitrary command execution if a crafted URL or notebook name is provided. No clear evidence of intentional malice, data exfiltration, or obfuscation was found.
能力评估
Purpose & Capability
Name/description match behavior: the skill fetches X (Twitter) content via r.jina.ai and uses a NotebookLM CLI to create notebooks and upload content. The declared optional env vars (NOTEBOOKLM_DEFAULT_NOTEBOOK, X_TO_NOTEBOOKLM_VERBOSE, NOTEBOOKLM_CLI_PATH) map to behavior in the code.
Instruction Scope
The runtime instructions and the bundled script invoke shell commands (curl and node on an external notebooklm CLI) with user-supplied URL interpolated into shell strings. execSync is used to run commands, and user-controlled URL is placed inside a quoted shell command without strong sanitization — this creates a real command-injection risk if an attacker or malformed URL contains shell metacharacters. The script also writes content to a temp file and does not delete that temp file after successful upload (only on error), contradicting the README/REPORT claim that temp files are auto-cleaned.
Install Mechanism
No install spec — instruction-only plus a bundled Node script. No downloads from untrusted URLs or package installs. Risk surface is limited to local execution of the included script and calling the NotebookLM CLI.
Credentials
The skill requests no secrets and relies on the NotebookLM CLI for authentication (user-run login). It reads a few environment variables (NOTEBOOKLM_CLI_PATH, NOTEBOOKLM_DEFAULT_NOTEBOOK, X_TO_NOTEBOOKLM_VERBOSE, HOME) that are reasonable for configuration. However, allowing NOTEBOOKLM_CLI_PATH to point to an arbitrary script gives an attacker who can control that path a way to run arbitrary code — this is a configuration-time risk to be aware of.
Persistence & Privilege
always:false and no system-wide changes. The skill does not request permanent platform privileges or modify other skills' configs. It executes as a user-run CLI wrapper, which is expected.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install x-to-notebooklm - 安装完成后,直接呼叫该 Skill 的名称或使用
/x-to-notebooklm触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Add Chinese-English bilingual support / 添加中英双语支持
v1.0.0
Initial release of x-to-notebooklm.
- Enables parsing X (Twitter) articles and uploading them to Google NotebookLM.
- Uses r.jina.ai to extract content without requiring an API key.
- Automatically creates or selects a Notebook in NotebookLM, and uploads the article as a Source.
- Provides command-line options for notebook name, existing notebook ID, and verbose output.
- Includes troubleshooting for authentication, content extraction limits, and upload issues.
- Requires NotebookLM CLI and Node.js.
元数据
常见问题
X To Notebooklm 是什么?
中文:将 X (Twitter) 文章解析并上传到 NotebookLM。使用 r.jina.ai 抓取内容,自动创建 Notebook 并上传文章。 English: Parse X (Twitter) articles and upload to NotebookLM. Uses r.jina.ai to f... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 485 次。
如何安装 X To Notebooklm?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install x-to-notebooklm」即可一键安装,无需额外配置。
X To Notebooklm 是免费的吗?
是的,X To Notebooklm 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
X To Notebooklm 支持哪些平台?
X To Notebooklm 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 X To Notebooklm?
由 nicoxia(@nicoxia)开发并维护,当前版本 v1.0.1。
推荐 Skills