bark Security Report — Low Risk | ClawSafe

10 /100

bark

Send push notifications to iOS devices via Bark app

Bark notification skill is a legitimate push notification tool with no malicious behavior - all capabilities are documented and proportional to the stated functionality.

Skill Namebark

Duration22.6s

Enginepi

✓

Safe to install

Skill is safe to use. No action required.

Findings 1 items

Severity	Finding	Location
Low	Shell execution implied but not declared in capability mapping SKILL.md shows curl commands which require shell execution, but the capability mapping only explicitly declares filesystem:READ and network:READ. Shell:WRITE is implied by curl usage. `curl -s -X POST "https://api.day.app/$KEY"` → Add shell:WRITE to declared capabilities if the agent will execute curl commands directly.	`SKILL.md:48`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	SKILL.md: Reads ~/.bark/key
Network	`READ`	`READ`	✓ Aligned	SKILL.md: Makes POST/GET to api.day.app
Shell	`NONE`	`WRITE`	✓ Aligned	SKILL.md: curl commands suggest shell:WRITE but not explicitly declared

3 findings

🔗

Medium External URL 外部 URL

https://api.day.app/

SKILL.md:18

🔗

Medium External URL 外部 URL

https://api.day.app/$KEY

SKILL.md:49

🔗

Medium External URL 外部 URL

https://api.day.app/yourkey

SKILL.md:91

File Tree

1 files · 3.2 KB · 101 lines

Markdown 1f · 101L

└─ 📝 SKILL.md Markdown 101L · 3.2 KB

Security Positives

✓ No hidden functionality - SKILL.md accurately describes all behavior

✓ No credential exfiltration - ~/.bark/key is read but only used locally for notification API

✓ Network calls only to legitimate Bark API server (api.day.app)

✓ No suspicious patterns: no base64, no eval, no external IPs beyond declared server

✓ No suspicious path access beyond the designated credential file

✓ No dependency on untrusted external scripts

Scan Report

Findings 1 items

File Tree

Security Positives