ClawHub

cc-sticky-notify

v1.0.2

Install, configure, or fix cc-sticky-notify — a notification system that displays a pinned yellow sticky note in the Mac top-right corner for key Claude Code...

1· 116·0 current·0 all-time
by@bucleliu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included files and instructions: a Swift floating window + shell wrapper to display sticky notifications on macOS. Requested tools (swiftc, codesign via Xcode CLT) are appropriate for compiling and signing the provided Swift app. No unrelated credentials, binaries, or cloud services are required.
Instruction Scope
Instructions are focused on installing and hooking the notify script into ~/.claude/settings.json and verifying operation. Runtime behavior goes beyond simply showing a notification: notify.sh inspects the ancestor process tree, queries System Events (osascript) to capture the front application/window title and position, and records session/project info. Capturing window titles and writing these artifacts to /tmp is consistent with the declared feature (showing source app/project) but is privacy-sensitive and worth the user's awareness.
Install Mechanism
No external downloads or network installs; the Swift binary is compiled locally and ad-hoc codesigned. This is low risk compared to fetching remote archives. Minor inconsistency: a comment mentions python3 for JSON parsing but the script doesn't enforce it; codesign uses ad-hoc signing with an entitlements file enabling apple-events—this is expected for macOS automation but may still prompt the user for permissions at runtime.
Credentials
The skill requests no environment variables or credentials. It exposes one optional env var (CC_STICKY_NOTIFY_CLOSE_TIMEOUT) which is justified. No unrelated secrets or config paths are requested.
Persistence & Privilege
The skill is not forced-always, is user-invocable, and does not modify other skills. It asks the user to add hooks to ~/.claude/settings.json (expected for a notification hook) and writes runtime state to /tmp under a skill-specific directory. It does not attempt to alter system-wide agent settings or other skills.
Assessment
This skill appears to do what it says, but review and accept these tradeoffs before installing: - Permissions: the tool uses Apple Events / System Events (osascript) and may trigger macOS automation/accessibility permission prompts; approving those grants the app the ability to inspect other apps/windows. - Privacy: notify.sh captures the front application's name and window title/position and includes your current working directory's basename as 'Project' — this may include sensitive information. - Local files: runtime state (content, pid, slot, sig, wid, etc.) is written to /tmp/cc-sticky-notify with predictable names; other local users could read these on a multi-user system. - Install: the Swift app is compiled locally and ad-hoc signed; no network fetches are performed. Confirm you trust the code before running install.sh. Recommended actions: inspect the scripts (notify.sh and sticky-window.swift) yourself (they are included), run install.sh in a test account or VM if you are unsure, and be prepared to deny Automation/Accessibility permissions if you do not want the app to read window titles or control other apps.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bhqxdt9dtkaq1cfeknbjw31841ea4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments