Security Audit

universal-notify

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

universal-notify received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 7 findings: 5 critical, 1 high, 1 medium, and 0 low severity. Key findings include Sensitive environment variable access: $USER, Shell Command Injection via `ntfy` URL/Topic Parameters, Shell Command Injection via `gotify` URL/Token Parameters.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

93%

Dependency Graph

100%

LLM Behavioral Safety

Behavioral Risk Signals

Network Access

6 findings

Shell Execution

6 findings

Dynamic Code

6 findings

Excessive Permissions

1 finding

Security Findings7

Severity	Finding	Layer	Location
CRITICAL	Shell Command Injection via `ntfy` URL/Topic Parameters The `ntfy` channel constructs the target URL by directly interpolating `$NTFY_SERVER` and `$TOPIC` into the `curl` command line. If an attacker can control these variables and inject shell metacharacters (e.g., `;`, `&`, `\|`, `$(...)`, `` `...` ``), arbitrary shell commands will be executed by the host system before `curl` is invoked. This leads to remote code execution. Ensure that all URL components (`$NTFY_SERVER`, `$TOPIC`) are properly validated and URL-encoded. Pass the complete, sanitized URL as a single argument to `curl` using the `--url` option (e.g., `curl --url "$FULL_URL" ...`) to prevent shell interpretation of metacharacters within the URL.	LLM	scripts/notify.sh:90
CRITICAL	Shell Command Injection via `gotify` URL/Token Parameters The `gotify` channel constructs the target URL by directly interpolating `$URL` and `$TOKEN` into the `curl` command line. If an attacker can control these variables and inject shell metacharacters (e.g., `;`, `&`, `\|`, `$(...)`, `` `...` ``), arbitrary shell commands will be executed by the host system before `curl` is invoked. This leads to remote code execution. Ensure that all URL components (`$URL`, `$TOKEN`) are properly validated and URL-encoded. Pass the complete, sanitized URL as a single argument to `curl` using the `--url` option (e.g., `curl --url "$FULL_URL" ...`) to prevent shell interpretation of metacharacters within the URL.	LLM	scripts/notify.sh:98
CRITICAL	Shell Command Injection via `webhook` URL Parameter The `webhook` channel uses the user-provided `$URL` directly as an argument to `curl`. If an attacker can control `$URL` and inject shell metacharacters (e.g., `;`, `&`, `\|`, `$(...)`, `` `...` ``), arbitrary shell commands will be executed by the host system before `curl` is invoked. This leads to remote code execution. Ensure that the `$URL` variable is properly validated and URL-encoded. Pass the sanitized URL as a single argument to `curl` using the `--url` option (e.g., `curl --url "$URL" ...`) to prevent shell interpretation of metacharacters within the URL.	LLM	scripts/notify.sh:107
CRITICAL	Shell Command Injection via `email` SMTP/Address Parameters The `email` channel uses user-provided `$SMTP`, `$FROM`, and `$TO` variables directly as arguments to `curl`. If an attacker can control these variables and inject shell metacharacters (e.g., `;`, `&`, `\|`, `$(...)`, `` `...` ``), arbitrary shell commands will be executed by the host system before `curl` is invoked. This leads to remote code execution. Ensure that `$SMTP`, `$FROM`, and `$TO` variables are properly validated and sanitized. While `--url`, `--mail-from`, and `--mail-rcpt` options help, shell metacharacters in the variable values themselves can still lead to injection. Consider stricter validation for these inputs.	LLM	scripts/notify.sh:115
CRITICAL	Shell Command Injection via `telegram` Bot Token Parameter The `telegram` channel constructs the API URL by directly interpolating `$BOT_TOKEN` into the `curl` command line. If an attacker can control `$BOT_TOKEN` and inject shell metacharacters (e.g., `;`, `&`, `\|`, `$(...)`, `` `...` ``), arbitrary shell commands will be executed by the host system before `curl` is invoked. This leads to remote code execution. Ensure that the `$BOT_TOKEN` variable is properly validated and URL-encoded. Construct the full URL string and pass it as a single argument to `curl` using the `--url` option (e.g., `curl --url "$FULL_URL" ...`) to prevent shell interpretation of metacharacters within the URL.	LLM	scripts/notify.sh:123
HIGH	HTTP Header Injection via `ntfy` Title Parameter The `ntfy` channel constructs HTTP headers using the user-provided `$TITLE` variable. If `$TITLE` contains newline characters (`\n`), an attacker can inject arbitrary HTTP headers into the `curl` request. This could be used to bypass security controls, exfiltrate data, or manipulate the request in unintended ways. Sanitize the `$TITLE` variable to remove or escape newline characters before it is used in HTTP headers. A robust solution would be to disallow newlines in the title or URL-encode the title if it's part of a URL path/query.	LLM	scripts/notify.sh:88
MEDIUM	Sensitive environment variable access: $USER Access to sensitive environment variable '$USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/josunlp/universal-notify/scripts/notify.sh:127

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/f6e10761584f78d9.svg)](https://skillshield.io/report/f6e10761584f78d9)