Pushover
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a disclosed Membrane-based Pushover integration, but it can use delegated account access to send notifications and manage Pushover groups.
Install this only if you are comfortable using Membrane as the gateway for your Pushover account. Before running actions, confirm the target connection, recipient or group, message content, and whether the action mutates account state. Prefer the listed Membrane actions over raw proxy calls, and be especially careful with emergency messages or group membership changes.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong action or input, the agent could send unwanted push notifications or change who receives group notifications.
The skill documents authenticated operations that can modify Pushover groups, send urgent notifications, and use a raw API proxy with mutating HTTP methods.
Popular actions ... Remove User from Group ... Send Emergency Message ... `membrane request CONNECTION_ID /path/to/endpoint` ... `-X, --method` | HTTP method (GET, POST, PUT, PATCH, DELETE).
Use explicit user approval for mutating actions, especially sending emergency messages, removing users, disabling users, or using the raw proxy.
The agent can act through the connected Pushover account within the permissions granted to the Membrane connection.
The integration requires delegated Membrane/Pushover account access and ongoing credential handling, which is expected for the service but important for users to understand.
`membrane login --tenant` ... `Membrane handles authentication and credentials refresh automatically`
Connect only the intended Pushover account, review granted permissions, and revoke the Membrane connection when it is no longer needed.
Users rely on the npm package source and current published version of the Membrane CLI.
The setup asks users to install a global npm CLI package, while the artifact set has no install spec or lockfile for this dependency.
`npm install -g @membranehq/cli`
Install the CLI only from the expected npm package, verify the package publisher/version if needed, and keep it updated.
Pushover request data is routed via Membrane rather than directly from the user's environment to Pushover.
Pushover API requests and any message contents pass through Membrane as an authenticated proxy.
send requests directly to the Pushover API through Membrane's proxy ... injects the correct authentication headers
Avoid sending unnecessary sensitive content in notifications or raw proxy requests, and use Membrane only if its data handling is acceptable.