ClawHub

Gotify

v1.0.1

Send push notifications via Gotify when long-running tasks complete or important events occur. Use when the user asks to "send a Gotify notification", "notify me when this finishes", "push notification", "alert me via Gotify", or wants to be notified of task completion.

1· 2.6k·7 current·7 all-time
by@jmagar
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binaries (curl, jq), and included script align with a Gotify notification skill. Minor inconsistency: registry metadata lists no required config paths/env vars, but SKILL.md and scripts expect a credentials file at ~/.clawdbot/credentials/gotify/config.json (and the script supports overriding that path via GOTIFY_CONFIG_FILE).
Instruction Scope
SKILL.md instructs the agent to call the included send.sh script and to create a local credentials JSON. The instructions stay within the stated purpose (sending notifications) and do not request unrelated files or secrets beyond the Gotify token/config file. Examples reference integrating the script into command workflows.
Install Mechanism
No install spec (instruction-only plus a small shell script). Nothing is downloaded or installed automatically, so runtime risk is low and actions are visible on disk.
Credentials
The skill does not require broad credentials; it only needs a Gotify URL and application token. Minor documentation mismatch: README mentions alternative environment variables GOTIFY_URL/GOTIFY_TOKEN, but the actual script reads a config JSON (or an override path via GOTIFY_CONFIG_FILE). No unexpected credentials are requested.
Persistence & Privilege
Skill does not request always: true and does not attempt to modify other skills or system settings. It runs on explicit invocation (or when the agent decides to invoke it) and only sends notifications to the configured Gotify endpoint.
Assessment
This skill appears to do exactly what it says: a small bash script posts messages to your Gotify server. Before installing, verify the following: (1) create the credentials file at ~/.clawdbot/credentials/gotify/config.json (or set GOTIFY_CONFIG_FILE to point to it) since the script does not actually read GOTIFY_URL/GOTIFY_TOKEN despite README text claiming that option; (2) keep the config file readable only by the intended user (tokens are sensitive); (3) the script sends the token in the URL query string (message?token=...), which may be logged by intermediaries—prefer HTTPS and confirm your Gotify endpoint is trusted; (4) review and test the script locally to confirm behavior and response handling (it prints the raw response); and (5) because the skill will contact whatever GOTIFY_URL you configure, ensure that host is correct and trusted. These are operational/privacy cautions rather than indications of malicious intent.

Like a lobster shell, security has layers — review code before you run it.

latestvk97288vhw7pevw528ma2jxhngd7zsssa

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔔 Clawdis
Binscurl, jq

Comments