Gotify
PassAudited by ClawScan on May 1, 2026.
Overview
The skill coherently sends user-requested Gotify notifications, but it requires a local Gotify app token and sends notification text to the configured server.
Safe to install if you trust the package and your Gotify server. Before use, create a least-privileged Gotify app token, store it securely, verify the configured URL uses HTTPS, and avoid sending secrets in notification text.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You are relying on the files shown in the skill package rather than a verifiable upstream source.
No upstream source or homepage is provided, so users can review the included files but cannot verify external project provenance from the registry metadata.
Source: unknown; Homepage: none
Review the included script before use and install only from a trusted registry/account.
Notification text, titles, and priority values you provide are sent to the configured Gotify server and may alert your devices.
The helper performs an external POST to the configured Gotify server with the notification payload; this is disclosed and central to the skill's purpose.
curl -sS -X POST "$GOTIFY_URL/message?token=$GOTIFY_TOKEN" -H "Content-Type: application/json" -d "$PAYLOAD"
Verify the Gotify URL, use HTTPS, and avoid placing secrets or sensitive details in notification messages unless that server is trusted.
Anyone with the configured app token could send messages to your Gotify instance, including disruptive high-priority alerts.
The skill requires a Gotify app token to create messages. This authority is expected for the purpose, but it is sensitive and should be scoped and protected.
Create the credentials file: `~/.clawdbot/credentials/gotify/config.json` ... `"token": "YOUR_APP_TOKEN"` ... App token must have "create message" permission
Use a Gotify app token limited to message creation, keep the config file private, and rotate the token if it may have been exposed.