Skillv1.0.0

ClawScan security

Notify Tool · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousApr 29, 2026, 10:15 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill implements a simple desktop notifier and appears to do what it says, but there are inconsistencies between the documentation and code and a real security risk (unescaped os.system call) that should be fixed before trusting it with untrusted input.
Guidance: This skill is not obviously malicious, but exercise caution. Key concerns: (1) The SKILL.md flags do not match the script's CLI arguments and the README claims no required binaries while the script calls notify-send — the skill should declare notify-send as a dependency or provide an alternative implementation for other OSes. (2) The script uses os.system with an f-string to call notify-send; message/title are interpolated directly into a shell command, which can allow shell injection if an attacker or untrusted input supplies the message. Before installing or using widely: (a) ask the author to fix/document the CLI (short vs long flags), (b) require either safe argument passing (use subprocess.run([...]) or shlex.quote to escape inputs) and add input validation, (c) declare notify-send as a required binary or provide cross-platform fallbacks, and (d) avoid passing untrusted content to this tool until the shell-injection risk is addressed. If you cannot get fixes, consider using or writing a notifier that uses subprocess with an argument list rather than os.system.

Purpose & Capability: concernThe code implements desktop notifications by calling the Linux notify-send command, which matches the stated purpose. However the skill metadata declares no required binaries while the code depends on notify-send (Linux). The presence of a Python script but no install/invocation guidance (how notify-tool becomes available on PATH) is an operational inconsistency.
Instruction Scope: concernSKILL.md documents short flags (-t, -u, -e) and a CLI name notify-tool, but the included script expects --title and --urgency long flags and has no expire (-e) option — the docs and runtime instructions do not match. The SKILL.md does not instruct the agent to access files or secrets (which is good).
Install Mechanism: okThis is an instruction-only skill with no install spec, so nothing is written automatically to disk. That is low-risk. The only operational gap is there is no guidance for making scripts/notify.py accessible as notify-tool (packaging/entry point missing).
Credentials: okNo environment variables, credentials, or config paths are requested. The code does not attempt to read additional environment secrets.
Persistence & Privilege: okSkill does not request permanent/always-on presence and uses normal agent invocation defaults. It does not modify other skills or system-wide configuration.