ntfy-notify
PassAudited by ClawScan on May 10, 2026.
Overview
This is a straightforward ntfy.sh notification sender, but notifications go to ntfy.sh and to a fixed default topic unless you choose your own.
Install only if you are comfortable sending notification content to ntfy.sh. For real use, set your own private topic, avoid secrets in messages or headers, and review any click/action/attachment URLs before sending.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Notification text and headers leave the local environment and may be visible to anyone subscribed to the selected or default ntfy topic.
The script posts notification content to ntfy.sh and uses a fixed default topic when --topic is not supplied.
TOPIC="CaptainDragonflyBot-TopicTest001"
...
CMD+=("https://ntfy.sh/$TOPIC")Use your own private or hard-to-guess ntfy topic, avoid sending secrets, and provide --topic explicitly for real notifications.
A recipient could be prompted to open or trigger an unintended URL if the notification content is not reviewed.
The skill can embed user-supplied URLs and action buttons in notifications, which is part of the stated rich-notification purpose but can direct recipients to external actions.
- `--click` URL opened on tap - `--actions` ntfy actions header string (supports buttons) - `--attach` URL to an image/file shown as attachment
Review click links, action button targets, and attachment URLs before sending notifications, especially for HTTP-triggering actions.
The skill may fail or behave differently on systems where curl is unavailable or not expected.
The script depends on curl at runtime, while the provided metadata declares no required binaries. This is a minor dependency declaration gap, not evidence of malicious behavior.
CMD=(curl -fsS -d "$MESSAGE")
Ensure curl is installed and available before relying on the skill.