Pocketalert
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Pocket Alert notification skill, but it relies on an external authenticated CLI and includes account-management, webhook, and cron examples that users should run deliberately.
Before installing, verify the Pocket Alert CLI source, understand that it will use a local API key, and only allow account-changing commands, webhooks, or cron jobs when you explicitly want them.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the downloaded CLI is not authentic, it could run local commands and handle the user's Pocket Alert API key.
The skill depends on an external CLI binary installed into a system-wide executable path, but the artifact does not provide checksum, signature, package-manager, or pinning guidance.
# Download from https://info.pocketalert.app/cli.html and extract to /usr/local/bin/
Download only from the official Pocket Alert source, verify release integrity if available, and avoid privileged installation unless necessary.
An agent using this skill can act through the authenticated Pocket Alert account and may expose account metadata in its outputs.
The skill requires and uses a Pocket Alert API key, can list API keys, and stores configuration locally, while the registry metadata declares no primary credential. This is expected for the integration but should be visible to users.
pocketalert auth <your-api-key> ... pocketalert apikeys list ... Configuration is stored at `~/.pocketalert/config.json`.
Use a least-privilege API key if Pocket Alert supports it, avoid sharing command output containing key details, and remove or rotate the key if no longer needed.
A mistaken command could spam all configured devices or remove apps, devices, or webhooks from the Pocket Alert account.
The documented CLI commands include sending notifications to all devices and deleting Pocket Alert resources. These are disclosed and service-related, but they are higher-impact account actions.
pocketalert messages send -t "Alert" -m "System update" -d all ... pocketalert apps delete <tid> ... pocketalert devices delete <tid> ... pocketalert webhooks delete <tid>
Require an explicit user request before running send-to-all, create, delete, or configuration-changing commands, and confirm target IDs before deletion.
Sensitive CI/CD, repository, or sender information could appear in notifications if included in webhook templates.
Webhook payload fields can be copied into push notification messages. This is normal for webhook alerts, but it means external event data may be relayed to devices.
When creating webhooks, you can use template variables from the incoming payload: ... --message "Push to %repository.name%: %head_commit.message%"
Create webhooks only for trusted sources, avoid including secrets or sensitive payload fields in templates, and review webhook message formats before enabling them.
If configured, recurring alerts can continue running until the cron entry or webhook is removed.
The documentation includes a cron example for recurring background notifications. It is disclosed as an example and is not automatically installed by the skill.
# Server monitoring with cron */5 * * * * /usr/local/bin/pocketalert send -t "Server Health" -m "$(uptime)"
Track any cron jobs or webhooks created for this skill and remove them when they are no longer needed.