ClawHub
Back to skill
v1.0.0

Notify with Pushover

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:12 AM.

Analysis

This skill does what it claims—sends Pushover notifications—but users should be aware it uses Pushover credentials and can send phone alerts when invoked.

GuidanceThis appears appropriate for sending Pushover alerts. Before installing, create a dedicated Pushover app token, store credentials securely, avoid putting secrets in shell history, and be careful with emergency-priority or recurring cron-based notifications.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
--priority -1|0|1|2

The skill can send Pushover messages with configurable priority, including emergency priority when retry and expire values are provided. This is part of the Pushover notification use case, but it can cause repeated or urgent alerts if invoked carelessly.

User impactMisconfigured workflows could send unwanted or repeated phone alerts.
RecommendationSet clear rules for when the agent should notify you, and be especially careful before using emergency priority or recurring alert workflows.
Rogue Agents
SeverityInfoConfidenceHighStatusNote
SKILL.md
For recurring alerts, prefer `cron` to schedule reminders; the cron job text can instruct Ted to run this skill.

The documentation suggests user-configured recurring alerts through cron. The skill does not install persistence itself, but users should notice that recurring notifications can continue until the cron job is removed.

User impactA user-created cron job could keep sending notifications on a schedule.
RecommendationIf you create recurring alerts, document where the schedule is configured and remove or disable it when no longer needed.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/pushover_send.js
const token = process.env.PUSHOVER_APP_TOKEN || process.env.PUSHOVER_TOKEN || args.token;
const user = process.env.PUSHOVER_USER_KEY || process.env.PUSHOVER_USER || args.user;

The script uses Pushover account credentials to send notifications. This is required for the stated purpose, but users should recognize that it grants the skill authority to send messages through their Pushover account.

User impactIf configured, the skill can send push notifications using the user’s Pushover credentials.
RecommendationUse a dedicated Pushover application token, keep the user key private, and prefer environment variables over command-line secrets where possible.