Universal Notify
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: universal-notify Version: 1.0.0 The skill bundle 'universal-notify' provides a utility script to send notifications via various channels (ntfy, Gotify, webhooks, email, Telegram, Pushover). The `SKILL.md` documentation clearly describes its purpose and usage without any prompt injection attempts against the AI agent. The `scripts/notify.sh` script uses `curl` to perform network requests to legitimate notification services, taking all necessary parameters (URLs, tokens, messages) as explicit arguments. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or obfuscation. The functionality is clearly aligned with its stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a wrong or untrusted webhook URL is used, notification content could be sent to the wrong external service.
The webhook channel posts notification content to a user-supplied URL. This is central to the skill's purpose, but the destination controls where the message is sent.
curl -sf -X POST -H "Content-Type: application/json" -d "$JSON" "$URL"
Use only trusted notification endpoints and avoid putting secrets or highly sensitive data in notification messages.
Anyone with these tokens may be able to send notifications through the associated service or account.
Several supported channels require service credentials. This is expected for Gotify, Telegram, and Pushover notification delivery, and the artifacts do not show unrelated credential use.
--token TOKEN ... --bot-token BOT:TOK ... --app-token X --user-key Y
Use least-privileged tokens where possible, keep them out of shared logs or chat history, and rotate them if exposed.
The skill may fail until curl is available on the system.
The package metadata does not declare curl as a required binary, while the script and documentation require it. This is an installation clarity issue, not hidden behavior.
Required binaries (all must exist): none ... No install spec — this is an instruction-only skill.
Confirm curl is installed before use, and the publisher should declare curl in the skill metadata.