ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

bark-push

v1.0.0

专业的 Bark 推送技能。支持通过 LobeHub 市场规范定义的通知格式发送消息。

0· 72·0 current·0 all-time
by@smallersoup
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code's primary behavior (HTTP GET to api.day.app using a Bark key) matches the 'bark-push' purpose. However, the implementation looks for a BARK_KEY in an arbitrary ancestor file (../../USER.md), which is not obviously required for a push helper and is not documented as a required config path in the registry metadata.
!
Instruction Scope
SKILL.md suggests running node push.js and that the key can come from the BARK_KEY env var, which is reasonable. The included push.js also tries to read ../../USER.md to extract a key if the env var is not set — this is scope creep (it reads files outside the skill folder) and could read sensitive information unexpectedly.
Install Mechanism
There is no install spec; this is an instruction-only skill with a small JavaScript file and a documented binary dependency on node. No remote downloads or extraction are performed.
Credentials
The skill uses a BARK_KEY environment variable but the registry metadata lists 'Required env vars: none'. The code will exit if no key is found. Requiring a single service key is proportionate, but searching for the key in ../../USER.md increases risk of accidental exposure of secrets.
Persistence & Privilege
The skill does not request permanent presence, does not modify other skills, and does not write persistent configuration. It only performs an HTTPS GET and local file reads.
What to consider before installing
This skill appears to do what it claims (send Bark notifications via api.day.app) but it will try to read a BARK_KEY from an ancestor file at ../../USER.md if the BARK_KEY env var is not set. That file-read is the main red flag: it may expose secrets outside the skill directory. Before installing or running: (1) prefer setting BARK_KEY in the environment and do not rely on the USER.md fallback; (2) inspect ../../USER.md in your workspace to ensure it contains nothing sensitive or rename/remove keys there; (3) if you control the skill, remove or restrict the USER.md lookup (or limit path scope) so it only reads explicit, documented config files; (4) run the script in a sandbox or limited environment if you are unsure. If the AUTHOR can explain why the ancestor USER.md lookup is necessary (for example, a known monorepo layout), that would reduce concern.

Like a lobster shell, security has layers — review code before you run it.

latestvk978d44708ft4jrptjkfwjb6r583e659

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode

Comments