ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pocketalert

The Pocket Alert (pocketalert.app) skill for OpenClaw enables OpenClaw agents and workflows to send push notifications to iOS and Android devices. It is used to deliver alerts and updates from automated tasks, workflows, and background processes.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
2 · 1.8k · 0 current installs · 0 all-time installs
by@Akellacom
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and SKILL.md consistently describe a CLI-based integration with Pocket Alert and all shown commands (send, apps, devices, webhooks, apikeys, config) match that stated purpose. However the registry metadata lacks a homepage/source even though the SKILL.md points to an external download URL (info.pocketalert.app); that missing metadata reduces transparency.
Instruction Scope
SKILL.md is instruction-only and limits actions to running the pocketalert CLI. Examples also show using system commands (uptime, systemctl) and cron, and it documents the config location (~/.pocketalert/config.json). Those are reasonable for a monitoring/alerting tool, but they also mean an agent following these instructions could run host-level commands and read/write the CLI config (which may contain API keys). The instructions do not explicitly direct exfiltration, but they give the agent the ability to access sensitive local information.
Install Mechanism
There is no automated install spec (instruction-only), so nothing is written to disk by the skill itself. The SKILL.md tells users to download the CLI from an external URL; because installation is manual, this reduces automatic risk but requires the user to verify the download source and integrity.
Credentials
The skill declares no required environment variables or credentials, which is proportionate. The CLI stores credentials in ~/.pocketalert/config.json and exposes commands like 'apikeys list' and 'config' that reveal/manage API keys; an agent executing those commands could expose secrets. The skill does not request unrelated credentials, but users should be aware that interacting with the CLI involves local credential files.
Persistence & Privilege
The skill is not marked always:true and uses default autonomous invocation settings. That is normal. Nevertheless, because it instructs use of a CLI that can run system commands and access local config, enabling autonomous invocation increases the blast radius if the agent is allowed to run shell commands on sensitive hosts.
What to consider before installing
This instruction-only skill appears to be a straightforward wrapper around the Pocket Alert CLI, but proceed cautiously. Before installing or using it: 1) Verify the CLI download URL (info.pocketalert.app) and prefer official releases or checksums; 2) Confirm the Pocket Alert service is legitimate (look for a homepage, privacy/security policy, and upstream source code or documentation) — the registry metadata here lacks a homepage; 3) Avoid pasting your primary API key into tools you don't fully trust; consider creating a scoped API key for automation; 4) Be aware the skill's examples run host commands (uptime, systemctl) and reference ~/.pocketalert/config.json — these can expose secrets or system state if an agent executes them; restrict agent permissions or run on a low-privilege host; 5) If you need higher assurance, ask the publisher for source code or a homepage and prefer an install path via a known release host (GitHub releases, vendor site) rather than an unknown package. If you cannot verify the CLI or publisher, treat this skill as higher risk and avoid giving it real credentials or allowing autonomous execution on sensitive systems.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.2
Download zip
latestvk97674nb4hjwchvs5qwj1nyq2d80ny4w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Pocket Alert

This skill enables interaction with the Pocket Alert service through its CLI tool.

Prerequisites

The pocketalert CLI must be installed and authenticated:

# Install (if not already installed)
# Download from https://info.pocketalert.app/cli.html and extract to /usr/local/bin/

# Authenticate with your API key
pocketalert auth <your-api-key>

Quick Reference

Send Push Notifications

# Basic notification
pocketalert send -t "Title" -m "Message"

# Full form
pocketalert messages send --title "Alert" --message "Server is down!"

# To specific application
pocketalert messages send -t "Deploy" -m "Build completed" -a <app-tid>

# To specific device
pocketalert messages send -t "Alert" -m "Check server" -d <device-tid>

# To all devices
pocketalert messages send -t "Alert" -m "System update" -d all

List Resources

# List last messages
pocketalert messages list
pocketalert messages list --limit 50
pocketalert messages list --device <device-tid>

# List applications
pocketalert apps list

# List devices
pocketalert devices list

# List webhooks
pocketalert webhooks list

# List API keys
pocketalert apikeys list

Manage Applications

# Create application
pocketalert apps create --name "My App"
pocketalert apps create -n "Production" -c "#FF5733"

# Get application details
pocketalert apps get <tid>

# Delete application
pocketalert apps delete <tid>

Manage Devices

# List devices
pocketalert devices list

# Get device details
pocketalert devices get <tid>

# Delete device
pocketalert devices delete <tid>

Manage Webhooks

# Create webhook
pocketalert webhooks create --name "GitHub Webhook" --message "*"
pocketalert webhooks create -n "Deploy Hook" -m "Deployed %repository.name% by %sender.login%"
pocketalert webhooks create -n "CI/CD" -m "*" -a <app-tid> -d all

# List webhooks
pocketalert webhooks list

# Get webhook details
pocketalert webhooks get <tid>

# Delete webhook
pocketalert webhooks delete <tid>

Message Template Variables

When creating webhooks, you can use template variables from the incoming payload:

pocketalert webhooks create \
  --name "GitHub Push" \
  --message "Push to %repository.name%: %head_commit.message%"

Configuration

View or modify configuration:

# View config
pocketalert config

# Set API key
pocketalert config set api_key <new-api-key>

# Set custom base URL (for self-hosted)
pocketalert config set base_url https://your-api.example.com

Configuration is stored at ~/.pocketalert/config.json.

CI/CD Integration Examples

# GitHub Actions / GitLab CI
pocketalert send -t "Build Complete" -m "Version $VERSION deployed"

# Server monitoring with cron
*/5 * * * * /usr/local/bin/pocketalert send -t "Server Health" -m "$(uptime)"

# Service check script
if ! systemctl is-active --quiet nginx; then
  pocketalert send -t "NGINX Down" -m "NGINX is not running on $(hostname)"
fi

Error Handling

The CLI returns appropriate exit codes:

  • 0 - Success
  • 1 - Authentication or API error
  • 2 - Invalid arguments

Always check command output for error details.

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…