Web Push Notifications
PassAudited by ClawScan on May 14, 2026.
Overview
This is a documentation-only Web Push guide with expected use of notification credentials and npm installation, and no hidden code or exfiltration behavior is shown.
This appears safe as an instruction-only Web Push reference. Before using it, protect VAPID private keys, GCM/API keys, and subscription auth secrets; install the npm package from a trusted source with pinned versions for production; and send notifications only to users who have explicitly subscribed.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If misused, the instructions could help send unwanted or high-urgency notifications to subscribed users.
The core workflow sends browser push notifications to a subscription endpoint. This is the skill's stated purpose, but it can affect end users if used without consent or rate limits.
await webpush.sendNotification(pushSubscription, 'Hello World', { ... urgency: 'high' ... });Send only to users who opted in, validate payloads, rate-limit notification sends, and require human review before bulk or high-urgency sends.
Leaked VAPID private keys, GCM keys, or subscription auth secrets could allow unauthorized notification sending or require subscription/key rotation.
The examples use VAPID private keys and PushSubscription authentication secrets. These credentials are expected for Web Push, but they grant authority to send authenticated push messages.
web-push send-notification ... --key=<p256dh> --auth=<auth_secret> ... --vapid-pvtkey=<priv>
Store VAPID private keys and API keys in a secret manager or environment variables, avoid exposing secrets in shell history, and rotate keys if they are accidentally shared.
Installing an unpinned npm package can pull whatever version is current at install time.
The documentation tells users to install the external npm package used for the integration. This is purpose-aligned, but the package/version is not pinned in the example.
npm install web-push --save
Use a trusted package source, pin or lock dependency versions in production projects, and prefer project-local installs over global installs unless the CLI is specifically needed.