扫描报告
0 /100
notion-time-management-matrix
待办事项管理技能,用于通过 exec 调用 Python 脚本完成指定notion数据库的连接,基于四象限法则进行时间管理,待办事项创建、查询、更新与分析总结
A legitimate Notion task management skill with clean code, no obfuscation, fully documented behavior, and only the declared network/filesystem operations needed for its purpose.
可以安装
Approve for use. No security concerns identified.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | WRITE | WRITE | ✓ 一致 | SKILL.md states state file at script directory; STATE_PATH write |
| 网络访问 | READ | READ | ✓ 一致 | requests to api.notion.com only; documented in SKILL.md |
| 命令执行 | WRITE | WRITE | ✓ 一致 | SKILL.md §4: exec/popen via python3 subprocess |
| 环境变量 | NONE | NONE | — | No os.environ access; api_key read from file path only |
| 技能调用 | NONE | NONE | — | No cross-skill invocation |
| 剪贴板 | NONE | NONE | — | No clipboard access |
| 浏览器 | NONE | NONE | — | No browser automation |
| 数据库 | NONE | NONE | — | No SQL DB; Notion is an HTTP API |
1 项发现
中危 外部 URL 外部 URL
https://api.notion.com/v1 scripts/notion_quadrant_manager.py:14 目录结构
2 文件 · 43.7 KB · 1288 行 Python 1f · 1083L
Markdown 1f · 205L
├─
▾
scripts
│ └─
notion_quadrant_manager.py
Python
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
requests | unpinned | stdlib-equivalent | 否 | requests is not declared in a requirements.txt; it is a de-facto stdlib-equivalent with no version pinning, which is a minor observation not a security risk for this use case |
安全亮点
✓ No obfuscation: all code is plain Python, no base64, no eval(), no dynamic code generation
✓ Network calls limited exclusively to the official Notion API (api.notion.com) with Bearer auth
✓ API key stored in user-owned config file (~/.config/notion/api_key), not hardcoded or exfiltrated
✓ No sensitive filesystem paths accessed (~/.ssh, ~/.aws, .env not touched)
✓ No environment variable iteration; only reads the explicitly documented API key path
✓ No curl|bash, wget|sh, or remote script execution
✓ No credential harvesting or data exfiltration
✓ No supply chain risk: only uses stdlib + requests library
✓ Complete doc-to-code alignment: every function, action, and permission described in SKILL.md matches implementation
✓ Clean error handling with no silent failures or hidden side effects
✓ State file isolated to script directory, not global paths
✓ Timeout set on HTTP requests (45s) preventing resource exhaustion