Plaintext .env storage of NOTION_API_KEY is unnecessary risk — Notion integration tokens grant write access to every connected page/database and have no expiry. Document the 1Password CLI fetch pattern as the preferred path; .env becomes a discouraged fallback for environments without `op`. SKILL.md adds a Credential handling section covering: - One-shot inline fetch via `op read 'op://Development/Notion - Claude Agent/api-key'` - Subshell-scoped export pattern for repeated use without shell-history exposure - 1Password field-name conventions (api-key for the token) - Anti-patterns to avoid (echo, CLI args, git commits, chat paste) - Token rotation procedure notion_writer.py error message updated to point at the 1Password recipe when NOTION_API_KEY is missing, instead of telling users to create a .env. Tested end-to-end: pushed a 22 KB markdown report (16 tables, 120 nested checkboxes) using the inline 1Password fetch. Bot identity verified, all markdown blocks rendered as native Notion blocks. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
36 KiB
36 KiB