Pushover
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: pushover Version: 1.0.2 The skill is a standard integration for the Pushover notification service using the Membrane CLI. It provides instructions for an AI agent to manage users, groups, and send messages via the 'membrane' command-line tool, with no evidence of malicious intent, data exfiltration, or unauthorized execution (SKILL.md).
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong action or input, the agent could send unwanted push notifications or change who receives group notifications.
The skill documents authenticated operations that can modify Pushover groups, send urgent notifications, and use a raw API proxy with mutating HTTP methods.
Popular actions ... Remove User from Group ... Send Emergency Message ... `membrane request CONNECTION_ID /path/to/endpoint` ... `-X, --method` | HTTP method (GET, POST, PUT, PATCH, DELETE).
Use explicit user approval for mutating actions, especially sending emergency messages, removing users, disabling users, or using the raw proxy.
The agent can act through the connected Pushover account within the permissions granted to the Membrane connection.
The integration requires delegated Membrane/Pushover account access and ongoing credential handling, which is expected for the service but important for users to understand.
`membrane login --tenant` ... `Membrane handles authentication and credentials refresh automatically`
Connect only the intended Pushover account, review granted permissions, and revoke the Membrane connection when it is no longer needed.
Users rely on the npm package source and current published version of the Membrane CLI.
The setup asks users to install a global npm CLI package, while the artifact set has no install spec or lockfile for this dependency.
`npm install -g @membranehq/cli`
Install the CLI only from the expected npm package, verify the package publisher/version if needed, and keep it updated.
Pushover request data is routed via Membrane rather than directly from the user's environment to Pushover.
Pushover API requests and any message contents pass through Membrane as an authenticated proxy.
send requests directly to the Pushover API through Membrane's proxy ... injects the correct authentication headers
Avoid sending unnecessary sensitive content in notifications or raw proxy requests, and use Membrane only if its data handling is acceptable.