中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:2 天前 重新扫描
5 /100
notion-im-helper
Sync IM messages to Notion via Notion API. Supports 7 content types (diary, note, todo, idea, question, quote, link) and 4 formats (heading, quote, divider, list). Append-only to a single authorized Notion page.
A legitimate Notion API integration tool with no malicious behavior. All network requests go exclusively to the official Notion API. Credentials are read from environment variables and used only for API authentication. No shell execution, credential harvesting, data exfiltration, or hidden functionality observed.
技能名称notion-im-helper
分析耗时37.4s
引擎pi
可以安装
No action needed. The skill is safe to use.

安全发现 2 项

严重性 安全发现 位置
低危
Unpinned dependency
config.yaml documents 'pip install notion-client' without a version pin, leaving the install open to supply-chain drift
pip install notion-client
→ Pin to a known version, e.g. 'pip install notion-client==2.2.1', to ensure reproducible and secure installs
 config.yaml:35
提示
External URL in user-facing guidance
check_config.py contains a hardcoded URL to notion.so/my-integrations presented as part of the first-run setup guide
→ 打开 https://www.notion.so/my-integrations
→ No action needed; this is legitimate documentation and the URL points to Notion's own site
 scripts/check_config.py:14
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 sys.path.insert, open calls only — all read-only file operations within the skil…
网络访问 READ WRITE ✓ 一致 All network requests target https://api.notion.com/v1 exclusively — the official…
命令执行 WRITE WRITE ✓ 一致 SKILL.md declares subprocess/CLI usage via argparse. record.py calls sys.argv pa…
环境变量 NONE READ ✓ 一致 Reads NOTION_API_KEY and NOTION_PARENT_PAGE_ID from os.environ — only for legiti…
技能调用 NONE WRITE ✓ 一致 record.py implements toggle JSON parsing from stdin/args; undo command deletes l…
剪贴板 NONE NONE No clipboard access found
浏览器 NONE NONE No browser automation found
数据库 NONE WRITE ✓ 一致 Appends blocks to a single Notion page via PATCH, reads via GET, deletes last bl…
2 项发现
🔗
中危 外部 URL 外部 URL
https://www.notion.so/my-integrations
scripts/check_config.py:14
🔗
中危 外部 URL 外部 URL
https://api.notion.com/v1
scripts/notion_client.py:12

目录结构

9 文件 · 31.8 KB · 1076 行
Python 5f · 798L Markdown 2f · 180L YAML 1f · 90L JSON 1f · 8L
├─ 📁 scripts
│ ├─ 🐍 check_config.py Python 42L · 1.3 KB
│ ├─ 🐍 daily_summary.py Python 143L · 4.3 KB
│ ├─ 🐍 notion_client.py Python 141L · 4.5 KB
│ ├─ 🐍 record.py Python 338L · 9.5 KB
│ └─ 🐍 search_notes.py Python 134L · 3.7 KB
├─ 📋 _meta.json JSON 8L · 306 B
├─ 📝 CLAUDE.md Markdown 99L · 3.7 KB
├─ 📋 config.yaml YAML 90L · 1.9 KB
└─ 📝 SKILL.md Markdown 81L · 2.7 KB

依赖分析 1 项

包名版本来源已知漏洞备注
notion-client * pip (unpinned) Dependency declared in config.yaml install step without version constraint

安全亮点

✓ All network traffic is exclusively to api.notion.com — no third-party endpoints or hardcoded IPs
✓ API credentials are read from environment variables and never leave the Notion API boundary
✓ Append-only design: only the configured PAGE_ID is modified, no arbitrary page access
✓ No subprocess, no shell injection, no eval(), no base64 decoding
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env files)
✓ No hidden HTML comments, no steganography, no obfuscation
✓ Standard urllib.request with retry logic — no suspicious HTTP client libraries
✓ search_notes.py uses the official Notion Search API (POST /search) — no raw scraping
✓ undo is the only delete operation and it is explicitly documented in SKILL.md