Agent Notify Security Report — Trusted | ClawSafe

5 /100

Agent Notify

Cross-platform notification sound and taskbar flash for AI coding agents

Agent Notify is a legitimate, well-documented notification utility for AI coding agents. All behavior — shell execution, file writes, agent config modification — is explicitly declared in SKILL.md. No malicious patterns, credential access, data exfiltration, or obfuscation observed.

Skill NameAgent Notify

Duration43.8s

Enginepi

✓

Safe to install

No action required. This skill is safe to use.

Findings 3 items

Severity	Finding	Location
Low	Overly broad trigger keywords Doc Mismatch The skill defines 26 Chinese and English trigger keywords (e.g., '提示音', 'notify', 'beep', 'bell'). While expansive, this is a common pattern for skill engines and is clearly documented with no security impact. `triggers: ["提示音", "通知提醒", ..., "notification setup"]` → Consider narrowing trigger keywords if false activations become problematic. This is a UX concern, not a security issue.	`skill.md:1`
Low	Missing Windows script file Supply Chain SKILL.md references scripts/notify-windows.ps1 and the README project structure lists it, but the file is not present in the package. If a user selects Windows during quick setup, the installation would fail or attempt an incomplete configuration. `cp "<skill_dir>/scripts/notify-windows.ps1" "$AGENT_HOME/notify.ps1"` → Add the missing notify-windows.ps1 script or remove Windows from supported platforms in the documentation.	`skill.md:88`
Info	No dependency pinning Supply Chain The skill relies on external tools (jq, python3, paplay, aplay, pw-play, notify-send, afplay) without pinning versions. These are standard OS-level tools, not package dependencies, so this is low risk. `if command -v jq &>/dev/null; then` → No action required. These are system binaries, not pip/npm packages.	`scripts/notify-linux.sh, scripts/notify-macos.sh:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	skill.md:3 — 'Skill definition' with full install/uninstall instructions for fil…
Shell	`WRITE`	`WRITE`	✓ Aligned	skill.md:3 — PowerShell/bash execution explicitly documented for OS detection, s…
Network	`NONE`	`NONE`	—	No network operations in any script
Environment	`NONE`	`NONE`	—	No environment variable access in any script
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser access
Database	`NONE`	`NONE`	—	No database access
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation

3 findings

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/License-GPLv3-blue.svg

README.md:7

🔗

Medium External URL 外部 URL

https://www.gnu.org/licenses/gpl-3.0

README.md:7

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/Platform-Windows%20%7C%20macOS%20%7C%20Linux-brightgreen.svg

README.md:8

File Tree

5 files · 21.5 KB · 759 lines

Markdown 2f · 588L Shell 2f · 148L JSON 1f · 23L

├─ ▾ 📁 config

│ └─ 📋 default.json JSON 23L · 427 B

├─ ▾ 📁 scripts

│ ├─ 🔧 notify-linux.sh Shell 76L · 2.1 KB

│ └─ 🔧 notify-macos.sh Shell 72L · 2.1 KB

├─ 📝 README.md Markdown 165L · 4.2 KB

└─ 📝 skill.md Markdown 423L · 12.7 KB

Security Positives

✓ All file operations are explicitly declared in SKILL.md with exact commands and file paths

✓ Agent config modification uses safe merge strategy — never overwrites existing settings

✓ No credential harvesting, API key access, or sensitive path traversal

✓ No base64 encoding, eval, or obfuscated execution patterns

✓ No network requests or data exfiltration endpoints

✓ Scripts use graceful fallbacks for missing tools (e.g., jq→python3, paplay→aplay→pw-play)

✓ Uninstall function properly cleans all created files and settings entries

✓ OS detection via uname is non-destructive and read-only

✓ Config parsing uses standard JSON libraries with no shell injection vectors

Scan Report

Findings 3 items

File Tree

Security Positives