← Back to Skills Marketplace
jonasboury

Unformal Notifications

by Jonas Boury · GitHub ↗ · v1.1.0 · MIT-0
cross-platform ⚠ suspicious
152
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install unformal-notifications
Description
Get notified when someone completes an Unformal Pulse — via a scheduled Claude Code routine (hourly), a local desktop listener (real-time macOS notifications...
Usage Guidance
This skill is coherent with its purpose (notify you about Unformal Pulse completions) but take these precautions before installing: - Expect to provide your UNFORMAL_API_KEY; the registry failed to declare it—verify you are comfortable supplying that key. - Do NOT embed your API key inline into generated SKILL.md or other files unless you understand the file's storage/permissions; prefer setting UNFORMAL_API_KEY in your shell profile (~/.zshrc) or use a secure secret manager. - Inspect the unformal-listen.sh file you download; the repository package includes it so compare the downloaded copy with the one you reviewed. Prefer installing from a stable, signed release or a repository you control. - Limit file permissions on ~/.unformal and the scheduled task files (chmod 700/600) so other local users/processes can't read them. - If you need stronger isolation, run the listener in a dedicated container or separate account. If you want higher assurance, ask the publisher for: authoritative homepage/repo link, signed releases or checksums for the download URL, and an updated registry manifest that declares UNFORMAL_API_KEY as a required credential. If the publisher is unknown or you can't verify the download origin, treat the download/install step as higher risk.
Capability Analysis
Type: OpenClaw Skill Name: unformal-notifications Version: 1.1.0 The skill promotes a high-risk 'curl-to-shell' installation pattern in SKILL.md, directing users to download and execute a script from a remote URL (unformal.ai/unformal-listen.sh). Additionally, the provided script `scripts/unformal-listen.sh` contains a potential shell injection vulnerability in the `NOTIFY_FN` function, where unvalidated data from a remote API is passed into `osascript` or `notify-send` commands. While these behaviors align with the stated purpose of the tool, the combination of remote script execution and poor input sanitization poses a security risk.
Capability Tags
requires-sensitive-credentials
Capability Assessment
Purpose & Capability
The skill's name/description match the included script and SKILL.md: it polls Unformal and surfaces notifications. Requiring an Unformal API key and writing marker/inbox files in ~/.unformal is consistent with the stated purpose. However, the registry metadata declares no required env vars/primary credential while the SKILL.md and script clearly require UNFORMAL_API_KEY—an omission that reduces transparency and is unexpected.
Instruction Scope
Runtime instructions explicitly read/write files under the user's home (~/.unformal, ~/.unformal/last-seen, ~/.claude/scheduled-tasks/...), suggest sourcing arbitrary local secret files, and recommend embedding an API key inline into generated SKILL.md. Embedding secrets into files that live under ~/.claude or in a scheduled routine increases the risk of secret leakage. The script also instructs downloading an executable via curl and placing it in ~/bin—normal for CLI tools, but it increases attack surface if the source is untrusted.
Install Mechanism
There is no formal install spec in the registry, but SKILL.md advises using curl to fetch a single script from https://unformal.ai/unformal-listen.sh and saving it to ~/bin. Downloading a single script from the project's domain is common but still higher-risk than package-managed installs because it executes code fetched at install time. The package itself includes the script, which helps reviewability, but the user guidance to curl the upstream URL could fetch a different file later.
Credentials
The skill only needs an Unformal API key to function, which is proportionate. But the manifest does not declare this required env var (transparency problem). More importantly, the instructions explicitly suggest embedding the API key inline in SKILL.md or sourcing arbitrary local secrets files—both practices can expose credentials to other local apps or to any system/process that can read those files. The script itself accepts the key via env var or --key flag (good), but the guidance to embed keys into scheduled task files is risky.
Persistence & Privilege
The skill does not request always:true or any global privileges. It runs only when invoked (or when you create a local routine). It writes files only under the user's home (~/bin, ~/.unformal, ~/.claude scheduled-tasks) and does not modify other skills or system-wide settings—this is within expected bounds for a desktop notification helper.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install unformal-notifications
  3. After installation, invoke the skill by name or use /unformal-notifications
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
Initial publish. Desktop SSE listener + Claude scheduled-task routine for Pulse completion alerts.
Metadata
Slug unformal-notifications
Version 1.1.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Unformal Notifications?

Get notified when someone completes an Unformal Pulse — via a scheduled Claude Code routine (hourly), a local desktop listener (real-time macOS notifications... It is an AI Agent Skill for Claude Code / OpenClaw, with 152 downloads so far.

How do I install Unformal Notifications?

Run "/install unformal-notifications" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Unformal Notifications free?

Yes, Unformal Notifications is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Unformal Notifications support?

Unformal Notifications is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Unformal Notifications?

It is built and maintained by Jonas Boury (@jonasboury); the current version is v1.1.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 Comments