Skillv1.1.0

ClawScan security

Unformal Notifications · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 19, 2026, 6:21 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to do what it claims (poll Unformal and show local notifications), but the runtime instructions encourage practices that could expose your Unformal API key and the registry metadata omits the required credential—this mismatch and the advice to embed secrets inline are concerning.
Guidance: This skill is coherent with its purpose (notify you about Unformal Pulse completions) but take these precautions before installing: - Expect to provide your UNFORMAL_API_KEY; the registry failed to declare it—verify you are comfortable supplying that key. - Do NOT embed your API key inline into generated SKILL.md or other files unless you understand the file's storage/permissions; prefer setting UNFORMAL_API_KEY in your shell profile (~/.zshrc) or use a secure secret manager. - Inspect the unformal-listen.sh file you download; the repository package includes it so compare the downloaded copy with the one you reviewed. Prefer installing from a stable, signed release or a repository you control. - Limit file permissions on ~/.unformal and the scheduled task files (chmod 700/600) so other local users/processes can't read them. - If you need stronger isolation, run the listener in a dedicated container or separate account. If you want higher assurance, ask the publisher for: authoritative homepage/repo link, signed releases or checksums for the download URL, and an updated registry manifest that declares UNFORMAL_API_KEY as a required credential. If the publisher is unknown or you can't verify the download origin, treat the download/install step as higher risk.

Review Dimensions

Purpose & Capability: noteThe skill's name/description match the included script and SKILL.md: it polls Unformal and surfaces notifications. Requiring an Unformal API key and writing marker/inbox files in ~/.unformal is consistent with the stated purpose. However, the registry metadata declares no required env vars/primary credential while the SKILL.md and script clearly require UNFORMAL_API_KEY—an omission that reduces transparency and is unexpected.
Instruction Scope: concernRuntime instructions explicitly read/write files under the user's home (~/.unformal, ~/.unformal/last-seen, ~/.claude/scheduled-tasks/...), suggest sourcing arbitrary local secret files, and recommend embedding an API key inline into generated SKILL.md. Embedding secrets into files that live under ~/.claude or in a scheduled routine increases the risk of secret leakage. The script also instructs downloading an executable via curl and placing it in ~/bin—normal for CLI tools, but it increases attack surface if the source is untrusted.
Install Mechanism: noteThere is no formal install spec in the registry, but SKILL.md advises using curl to fetch a single script from https://unformal.ai/unformal-listen.sh and saving it to ~/bin. Downloading a single script from the project's domain is common but still higher-risk than package-managed installs because it executes code fetched at install time. The package itself includes the script, which helps reviewability, but the user guidance to curl the upstream URL could fetch a different file later.
Credentials: concernThe skill only needs an Unformal API key to function, which is proportionate. But the manifest does not declare this required env var (transparency problem). More importantly, the instructions explicitly suggest embedding the API key inline in SKILL.md or sourcing arbitrary local secrets files—both practices can expose credentials to other local apps or to any system/process that can read those files. The script itself accepts the key via env var or --key flag (good), but the guidance to embed keys into scheduled task files is risky.
Persistence & Privilege: okThe skill does not request always:true or any global privileges. It runs only when invoked (or when you create a local routine). It writes files only under the user's home (~/bin, ~/.unformal, ~/.claude scheduled-tasks) and does not modify other skills or system-wide settings—this is within expected bounds for a desktop notification helper.