by 安全扫描
OpenClaw
可疑
medium confidenceThe skill mostly does what its name says (sync Shopee -> Notion), but there are coherence issues — notably missing declared environment requirements and a hard-coded .env path that could read unrelated workspace secrets.
评估建议
This skill's behavior generally matches its name — it calls the Shopee affiliate GraphQL endpoint and the Notion API to create/update pages. Before installing or running it:
- Treat the registry metadata as incomplete: the script requires SHOPEE_APP_ID, SHOPEE_SECRET, NOTION_TOKEN, and NOTION_DATABASE_ID (put them into a dedicated env file or export them at runtime).
- Inspect the .env file at /data/.openclaw/workspace-sales/.env (or change jobs/config.js) — the script will load that exact pa...详细分析 ▾
ℹ 用途与能力
The code implements Shopee search + Notion upsert which matches the skill description. However the registry metadata declares no required environment variables despite the code and README clearly requiring SHOPEE_APP_ID, SHOPEE_SECRET, NOTION_TOKEN, and NOTION_DATABASE_ID — this mismatch is unexpected and reduces trust/clarity.
⚠ 指令范围
SKILL.md restricts execution to the included Node script and forbids scraping/web search; the script follows that. But jobs/config.js uses dotenv.config with a hard-coded absolute path (/data/.openclaw/workspace-sales/.env) — the runtime will read that specific workspace .env file, which may contain other agent secrets; this expands the scope of what the skill can access beyond its own folder.
ℹ 安装机制
No install spec is provided (instruction-only install), but package.json and package-lock.json indicate normal npm deps (axios, dotenv). There are no external download URLs or extraction steps in the skill itself. Expect the user to run npm install manually.
⚠ 凭证需求
The code requires Shopee API credentials and a Notion token/database id — those are proportionate to the stated purpose. However: (1) the skill registry lists no required env vars (incoherent), and (2) the hard-coded dotenv path may surface additional environment variables from the workspace (possible unintended access to unrelated secrets).
✓ 持久化与权限
The skill does not request 'always: true' or other elevated persistent privileges, and it does not modify other skills or system-wide settings. Autonomous invocation is allowed by default but not combined with other high-privilege requests.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/8
Initial release of Shopee-Notion Sync skill: - Enables syncing Shopee products into Notion using a local Node.js workflow. - Supports searching, saving, updating, and syncing Shopee product data directly to Notion tables. - Enforces use of a single Node.js command; prohibits use of web, browser, curl, Python, shell scripts, scraping, or generated data. - Sets default target as `shopee_produtos` and default limit as `10`. - Response includes only: keyword used, target used, created, updated, and failed counts.
● 可疑
安装命令 点击复制
官方npx clawhub@latest install shopee-to-notion-sync
镜像加速npx clawhub@latest install shopee-to-notion-sync --registry https://cn.clawhub-mirror.com
技能文档
Use this skill for any request involving:
- searching Shopee products
- saving Shopee products 到 Notion
- updating Shopee product 表 在...中 Notion
- syncing Shopee 带有 Notion
Mandatory rule
For any request covered by this skill, you MUST use only this command:
node jobs/sync-shopee-notion.js "
Do NOT:
- 使用 web 搜索
- 使用 browser tools
- 使用 curl directly
- 创建 Python scripts
- 创建 shell scripts
- scrape websites
- 写入 memory files
- invent product results
Defaults
- 默认 target:
shopee_produtos - 默认 limit:
10
响应 格式
Return only:
- keyword usada
- target usado
- criados
- atualizados
- falhas
Examples
节点 jobs/同步-shopee-notion.js "celular" 10 shopee_produtos节点 jobs/同步-shopee-notion.js "blusas de academia femininas" 10 shopee_produtos
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制