Cmdnotify
PassAudited by ClawScan on May 9, 2026.
Overview
Cmdnotify is a disclosed command-monitoring guide, but it would repeatedly run user-configured shell commands, can send alert data to external webhooks, and does not include the Go source code it references.
Only install or use this if you intentionally want a local process that periodically runs commands you specify. Review every command and notification endpoint, avoid monitoring outputs that may contain secrets, protect webhook URLs, and obtain any missing Go source code from a trusted source before building or running it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a configuration contains unsafe, destructive, or overly frequent commands, the monitor could repeatedly run them on the user's machine.
The documented configuration allows arbitrary shell commands and notification commands to be run repeatedly. This is central to the skill's purpose, but it is a powerful capability.
`command` | string | required | Shell command to execute ... `interval` | duration | `1s` ... `notify_cmd` | string | `""` | Custom notification command
Use only user-reviewed configurations, avoid destructive commands, set conservative intervals and timeouts, and run with the least privileges needed.
Command output or operational details could be sent outside the local machine if the user configures an external notification endpoint.
The custom notification example can transmit alert messages, which may include command output or system status, to an external webhook.
"notify_cmd": "curl -X POST -d '{\"text\":\"$CMD_MESSAGE\"}' https://hooks.slack.com/services/..."Send alerts only to trusted endpoints, avoid including secrets in monitored command output, and protect webhook URLs as credentials.
A user may need to obtain or create the missing code elsewhere, which introduces provenance and review uncertainty.
The skill documentation describes building and running a Go tool, but the reviewed package contains no Go source files or install specification, so the claimed implementation cannot be verified from these artifacts.
No install spec — this is an instruction-only skill. No code files present — this is an instruction-only skill.
Use source code from a trusted, reviewable location before building or running the monitor, and verify that it matches the documented behavior.