Cmdnotify
PassAudited by VirusTotal on May 9, 2026.
Overview
Type: OpenClaw Skill Name: cmdnotify Version: 1.0.1 The skill describes a tool designed to execute arbitrary shell commands and monitor their output. A significant security concern is the 'notify_cmd' feature documented in SKILL.md, which suggests using environment variables like '$CMD_MESSAGE' (containing command output) within shell strings; this pattern is highly susceptible to shell injection if the underlying implementation lacks strict sanitization. While the tool's capabilities are aligned with its stated purpose as a monitoring utility, the inherent risk of arbitrary execution and potential for injection makes it suspicious.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a configuration contains unsafe, destructive, or overly frequent commands, the monitor could repeatedly run them on the user's machine.
The documented configuration allows arbitrary shell commands and notification commands to be run repeatedly. This is central to the skill's purpose, but it is a powerful capability.
`command` | string | required | Shell command to execute ... `interval` | duration | `1s` ... `notify_cmd` | string | `""` | Custom notification command
Use only user-reviewed configurations, avoid destructive commands, set conservative intervals and timeouts, and run with the least privileges needed.
Command output or operational details could be sent outside the local machine if the user configures an external notification endpoint.
The custom notification example can transmit alert messages, which may include command output or system status, to an external webhook.
"notify_cmd": "curl -X POST -d '{\"text\":\"$CMD_MESSAGE\"}' https://hooks.slack.com/services/..."Send alerts only to trusted endpoints, avoid including secrets in monitored command output, and protect webhook URLs as credentials.
A user may need to obtain or create the missing code elsewhere, which introduces provenance and review uncertainty.
The skill documentation describes building and running a Go tool, but the reviewed package contains no Go source files or install specification, so the claimed implementation cannot be verified from these artifacts.
No install spec — this is an instruction-only skill. No code files present — this is an instruction-only skill.
Use source code from a trusted, reviewable location before building or running the monitor, and verify that it matches the documented behavior.