Gotify
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: gotify Version: 1.0.1 The skill is designed to send Gotify push notifications, which inherently requires network access and handling an API token. The `scripts/send.sh` script uses `curl` to send data to the user-configured Gotify server and `jq` for safe JSON payload construction. Credentials (`url`, `token`) are read from a dedicated local file (`~/.clawdbot/credentials/gotify/config.json`), which is a standard and expected practice for OpenClaw skills. The `SKILL.md` instructions for the agent are clear, aligned with the stated purpose, and do not contain any prompt injection attempts to subvert the agent's behavior or exfiltrate data. No evidence of malicious execution, persistence, or obfuscation was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You are relying on the files shown in the skill package rather than a verifiable upstream source.
No upstream source or homepage is provided, so users can review the included files but cannot verify external project provenance from the registry metadata.
Source: unknown; Homepage: none
Review the included script before use and install only from a trusted registry/account.
Notification text, titles, and priority values you provide are sent to the configured Gotify server and may alert your devices.
The helper performs an external POST to the configured Gotify server with the notification payload; this is disclosed and central to the skill's purpose.
curl -sS -X POST "$GOTIFY_URL/message?token=$GOTIFY_TOKEN" -H "Content-Type: application/json" -d "$PAYLOAD"
Verify the Gotify URL, use HTTPS, and avoid placing secrets or sensitive details in notification messages unless that server is trusted.
Anyone with the configured app token could send messages to your Gotify instance, including disruptive high-priority alerts.
The skill requires a Gotify app token to create messages. This authority is expected for the purpose, but it is sensitive and should be scoped and protected.
Create the credentials file: `~/.clawdbot/credentials/gotify/config.json` ... `"token": "YOUR_APP_TOKEN"` ... App token must have "create message" permission
Use a Gotify app token limited to message creation, keep the config file private, and rotate the token if it may have been exposed.