Cmdnotify
AdvisoryAudited by Static analysis on May 9, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a configuration contains unsafe, destructive, or overly frequent commands, the monitor could repeatedly run them on the user's machine.
The documented configuration allows arbitrary shell commands and notification commands to be run repeatedly. This is central to the skill's purpose, but it is a powerful capability.
`command` | string | required | Shell command to execute ... `interval` | duration | `1s` ... `notify_cmd` | string | `""` | Custom notification command
Use only user-reviewed configurations, avoid destructive commands, set conservative intervals and timeouts, and run with the least privileges needed.
Command output or operational details could be sent outside the local machine if the user configures an external notification endpoint.
The custom notification example can transmit alert messages, which may include command output or system status, to an external webhook.
"notify_cmd": "curl -X POST -d '{\"text\":\"$CMD_MESSAGE\"}' https://hooks.slack.com/services/..."Send alerts only to trusted endpoints, avoid including secrets in monitored command output, and protect webhook URLs as credentials.
A user may need to obtain or create the missing code elsewhere, which introduces provenance and review uncertainty.
The skill documentation describes building and running a Go tool, but the reviewed package contains no Go source files or install specification, so the claimed implementation cannot be verified from these artifacts.
No install spec — this is an instruction-only skill. No code files present — this is an instruction-only skill.
Use source code from a trusted, reviewable location before building or running the monitor, and verify that it matches the documented behavior.