← Back to Skills Marketplace
63
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install web-push
Description
Send Web Push notifications from a Node.js backend using the web-push npm library (VAPID authentication, payload encryption). Covers generating VAPID keys, s...
README (SKILL.md)
Web Push Notifications
Send push notifications to browsers (Chrome, Firefox, Edge, Safari) using the web-push npm library, which implements the Web Push Protocol with VAPID authentication and payload encryption per Message Encryption for Web Push.
Use Cases
Use when working with Push API subscriptions, browser push notifications, VAPID key management, Web Push Protocol implementation, or web-push npm package integration.
Quick Start
const webpush = require('web-push');
// 1. Generate VAPID keys ONCE, store permanently
const vapidKeys = webpush.generateVAPIDKeys();
// 2. Set credentials
webpush.setGCMAPIKey('\x3CYour GCM API Key Here>');
webpush.setVapidDetails(
'mailto:[email protected]',
vapidKeys.publicKey,
vapidKeys.privateKey
);
// 3. Subscribe in the browser (client-side)
// registration.pushManager.subscribe({
// userVisibleOnly: true,
// applicationServerKey: vapidPublicKey
// });
// 4. Send from server
const pushSubscription = {
endpoint: 'https://fcm.googleapis.com/fcm/send/...',
keys: { p256dh: '...', auth: '...' }
};
await webpush.sendNotification(pushSubscription, 'Hello World');
Core Workflows
Generate VAPID Keys
Generate once, store permanently. The public key is used as applicationServerKey in the browser. Never regenerate for the same application — you'll break existing subscriptions.
const vapidKeys = webpush.generateVAPIDKeys();
// { publicKey: '...', privateKey: '...' }
Set Credentials
webpush.setVapidDetails(
'mailto:[email protected]', // mailto: or https: URI
process.env.VAPID_PUBLIC_KEY,
process.env.VAPID_PRIVATE_KEY
);
Subscribe in the Browser
// Client-side Service Worker
registration.pushManager.subscribe({
userVisibleOnly: true,
applicationServerKey: urlBase64ToUint8Array(publicKey)
});
// Returns PushSubscription → send to server and store
Send a Notification
await webpush.sendNotification(pushSubscription, 'Hello World', {
// vapidDetails overrides global setVapidDetails
TTL: 60, // seconds push service retains (default: 4 weeks)
urgency: 'high', // very-low | low | normal | high
topic: 'updates', // coalesce notifications, max 32 URL-safe base64 chars
contentEncoding: 'aes128gcm', // default; 'aesgcm' for legacy
timeout: 5000, // socket timeout in ms
});
Encrypt Without Sending
const encrypted = await webpush.encrypt(
subscription.keys.p256dh,
subscription.keys.auth,
'My Payload',
'aes128gcm'
);
// { localPublicKey, salt, cipherText }
Generate Request Details Without Sending
const details = webpush.generateRequestDetails(
pushSubscription,
payload,
{ vapidDetails: {...}, contentEncoding: 'aes128gcm' }
);
// { endpoint, method: 'POST', headers, body: Buffer }
CLI Usage
# Install
npm install web-push -g
# Generate VAPID keys
web-push generate-vapid-keys --json
# Send notification
web-push send-notification \
--endpoint=https://fcm.googleapis.com/fcm/send/... \
--key=\x3Cp256dh> --auth=\x3Cauth_secret> \
--vapid-subject=mailto:[email protected] \
--vapid-pubkey=\x3Cpub> --vapid-pvtkey=\x3Cpriv> \
--payload="Hello" [--ttl=\x3Cseconds>] [--encoding=aesgcm|aes128gcm]
Critical Pitfalls
- VAPID keys: Generate ONCE. Store them. Never regenerate for the same app — breaks existing subscriptions.
- Safari + localhost: Safari rejects VAPID with
BadJwtTokenif subject ishttps://localhost. Usemailto:instead. - Payload encryption: The PushSubscription MUST include
keys.p256dhandkeys.auth. Without them, only empty payloads work. - Encoding:
aes128gcm(default) for modern browsers;aesgcmonly for legacy Chrome \x3C 50 and Opera.
Browser Compatibility
| Browser | Push w/o Payload | Push w/ Payload | VAPID |
|---|---|---|---|
| Chrome | v42+ | v50+ | v52+ |
| Edge | v17+ | v17+ | v17+ |
| Firefox | v44+ | v44+ | v46+ |
| Safari | v16+ (macOS 13) | v16+ | v16+ |
| Opera | v39+ (Android) | v39+ (Android) | ✗ |
| Samsung | v4+ | v5+ | ✗ |
Full API Reference
See references/webpush.md for all functions (sendNotification, generateVAPIDKeys, setGCMAPIKey, setVapidDetails, encrypt, getVapidHeaders, generateRequestDetails) with detailed parameter tables and return types.
Usage Guidance
This appears safe as an instruction-only Web Push reference. Before using it, protect VAPID private keys, GCM/API keys, and subscription auth secrets; install the npm package from a trusted source with pinned versions for production; and send notifications only to users who have explicitly subscribed.
Capability Analysis
Type: OpenClaw Skill
Name: web-push
Version: 1.0.0
The skill bundle provides documentation and code examples for using the legitimate 'web-push' npm library to send browser notifications. It follows security best practices by recommending the use of environment variables for VAPID keys and contains no evidence of malicious intent, data exfiltration, or prompt injection.
Capability Tags
Capability Assessment
Purpose & Capability
The skill's capabilities match its stated purpose: generating VAPID keys, handling subscriptions, and sending browser push notifications. Users should recognize that it can be used to contact subscribed browsers.
Instruction Scope
The instructions are reference-style and user-directed, but examples include sending notifications and passing subscription/authentication secrets in commands.
Install Mechanism
There is no automatic install spec or bundled code. The docs suggest npm installing the expected web-push package, including a global install example, which users should treat as normal but still verify.
Credentials
No broad filesystem access, background process, shell automation, or unrelated network destination is shown beyond normal Web Push provider endpoints.
Persistence & Privilege
The skill tells users to generate VAPID keys once and store them permanently, which is expected for Web Push but requires careful secret handling.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install web-push - After installation, invoke the skill by name or use
/web-push - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of the web-push skill for Node.js.
- Provides concise instructions for generating VAPID keys, setting credentials, browser subscription flow, and sending notifications using the web-push npm library.
- Includes CLI examples, coverage of core workflows, description of common pitfalls, and browser compatibility tables.
- References full API documentation for all available functions.
Metadata
Frequently Asked Questions
What is Web Push Notifications?
Send Web Push notifications from a Node.js backend using the web-push npm library (VAPID authentication, payload encryption). Covers generating VAPID keys, s... It is an AI Agent Skill for Claude Code / OpenClaw, with 63 downloads so far.
How do I install Web Push Notifications?
Run "/install web-push" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Web Push Notifications free?
Yes, Web Push Notifications is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Web Push Notifications support?
Web Push Notifications is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Web Push Notifications?
It is built and maintained by OpenLark (@openlark); the current version is v1.0.0.
More Skills