Universal Notify
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a wrong or untrusted webhook URL is used, notification content could be sent to the wrong external service.
The webhook channel posts notification content to a user-supplied URL. This is central to the skill's purpose, but the destination controls where the message is sent.
curl -sf -X POST -H "Content-Type: application/json" -d "$JSON" "$URL"
Use only trusted notification endpoints and avoid putting secrets or highly sensitive data in notification messages.
Anyone with these tokens may be able to send notifications through the associated service or account.
Several supported channels require service credentials. This is expected for Gotify, Telegram, and Pushover notification delivery, and the artifacts do not show unrelated credential use.
--token TOKEN ... --bot-token BOT:TOK ... --app-token X --user-key Y
Use least-privileged tokens where possible, keep them out of shared logs or chat history, and rotate them if exposed.
The skill may fail until curl is available on the system.
The package metadata does not declare curl as a required binary, while the script and documentation require it. This is an installation clarity issue, not hidden behavior.
Required binaries (all must exist): none ... No install spec — this is an instruction-only skill.
Confirm curl is installed before use, and the publisher should declare curl in the skill metadata.