Notify with Pushover
PassAudited by ClawScan on May 10, 2026.
Overview
This skill does what it claims—send Pushover notifications—but it requires Pushover credentials and sends notification content to Pushover.
This appears safe for its stated purpose. Before installing, make sure you trust sending notification contents to Pushover, use a dedicated Pushover app token, store credentials securely, and be careful with automated or emergency-priority workflows that could repeatedly notify your devices.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Whoever can invoke the skill with these credentials can send push notifications to the configured Pushover user/devices.
The skill uses Pushover credentials from environment variables or command-line arguments to act on the user's Pushover account. This is purpose-aligned, but it is still credential-backed account access.
const token = process.env.PUSHOVER_APP_TOKEN || process.env.PUSHOVER_TOKEN || args.token; const user = process.env.PUSHOVER_USER_KEY || process.env.PUSHOVER_USER || args.user;
Use a dedicated Pushover application token, keep the user key and token in a secure environment or secret store, and avoid passing credentials on the command line on shared systems.
Notification text, titles, optional URLs, device names, and priority settings are transmitted to Pushover.
The skill sends the notification payload to the external Pushover API. This network action is disclosed and central to the skill's purpose.
const res = await fetch("https://api.pushover.net/1/messages.json", {
method: "POST",
headers: { "Content-Type": "application/x-www-form-urlencoded" },
body,
});Only include information in notifications that you are comfortable sending to Pushover, and review any automated workflows that may call this skill.