← Back to Skills Marketplace
132
Downloads
0
Stars
0
Active Installs
6
Versions
Install in OpenClaw
/install notify-hub
Description
多平台通知聚合分层。把 GitHub、Stripe、Linear 等 SaaS 平台的通知邮件统一收到一个子邮箱,按紧急度分层:收款/CI 失败立即转发到 claw 注册邮箱,其他通知每天一封汇总。Use when: (1) setting up a unified notification inbox for...
Usage Guidance
This skill is broadly coherent with its stated purpose but take these precautions before installing or running it:
- Install and verify mail-cli yourself rather than relying on the skill's npx fallback; inspect the mail-cli project and its npm package to confirm it's the official client. The skill's metadata failing to list mail-cli as a required binary is an oversight.
- Understand that the skill will read full message metadata and bodies from the notify mailbox and will forward message contents to the primary account. If those emails contain sensitive content (invoices, tokens, links), they will be transmitted to whatever primary address mail-cli reports.
- The scripts run shell commands via child_process.execSync; running them implicitly executes mail-cli commands under your environment. If mail-cli is missing, the code uses 'npx mail-cli' which will download and execute code from npm on demand — if you prefer to avoid that, install mail-cli globally first.
- The SKILL.md's instruction to "ignore any 'Install Script' prompts" is unusual. Do not blindly ignore prompts from the mail-cli installer or other tools — review any suggested install steps manually before skipping them.
- Test with --dry-run to confirm behavior before enabling automated cron/agent scheduling. Inspect ~/.config/notify-hub/config.json and the temp log files to confirm routes and contents.
If you want to proceed, manually install and configure mail-cli from a trusted source, confirm the notify profile works, run router.js with --dry-run, and review the digests produced by summarize.js before enabling automatic scheduling.
Capability Analysis
Type: OpenClaw Skill
Name: notify-hub
Version: 1.0.5
The skill is classified as suspicious due to a potential Remote Code Execution (RCE) vulnerability in `scripts/router.js` and `scripts/summarize.js`. These scripts use `execSync` to execute shell commands via `mail-cli` and include email subjects—which are untrusted external inputs—directly in the command string. The sanitization is insufficient (only escaping double quotes), allowing an attacker to execute arbitrary commands by sending an email with a subject containing shell metacharacters (e.g., backticks or command substitutions). While the skill's stated purpose of notification aggregation appears legitimate, this implementation flaw poses a significant security risk.
Capability Tags
Capability Assessment
Purpose & Capability
The skill's stated goal (aggregate and route SaaS notification emails) matches what the scripts do: they use a mail-cli tool to read a mailbox, forward urgent messages to the primary account, and append others to a daily log/digest. However the registry metadata claims no required binaries while SKILL.md and the scripts clearly require a 'mail-cli' binary (or npx fallback). This metadata omission is an inconsistency that should have been declared.
Instruction Scope
The SKILL.md and bundled scripts limit their actions to mail-cli operations, local config (~/.config/notify-hub/config.json), and daily logs in the OS temp dir. The scripts read message metadata and bodies, forward messages, mark messages read, and compose/send digests. Those behaviors are within the stated purpose. Two noteworthy items: (1) the docs explicitly instruct ignoring any 'Install Script' suggested by mail-cli output — an odd instruction that users should not follow blindly, and (2) the scripts call external commands (mail-cli / npx mail-cli) so runtime behavior depends on that tool.
Install Mechanism
There is no install spec in the registry (instruction-only), which minimizes upfront disk writes from the skill itself. But the code uses a fallback of 'npx mail-cli' when mail-cli is not found; that will fetch and execute a package from the npm registry at runtime. This is a legitimate convenience but increases risk compared with requiring the user to install mail-cli explicitly from a verified source.
Credentials
The skill requests no environment variables and stores its own config under ~/.config/notify-hub. It relies on mail-cli being configured with credentials (mail-cli's config holds the mailbox API key) and will fetch the primary email via mail-cli. Access to the mail account is necessary for the skill's purpose, but the registry metadata did not declare the binary dependency or describe the credential model; users should be aware the skill will access and forward mailbox contents (which may include sensitive data).
Persistence & Privilege
The skill does not request 'always: true' or elevated platform privileges. It writes a per-user config under ~/.config/notify-hub and stores temporary JSONL logs in the OS temp directory; this is consistent with its functionality. It does not modify other skills or system-wide agent settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install notify-hub - After installation, invoke the skill by name or use
/notify-hub - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.5
Version 1.0.5
- 推荐通知邮件转发方式由“直接改收件地址”切换为“配置原邮箱转发规则”,并标注改平台收件邮箱不推荐(因需验证)。
- 工作流中“配置平台通知接收”步骤调整两种方式顺序,并对推荐度及注意事项进行说明。
- 其他内容未做功能性变更,仅对表述和指导流程进行了细化和优化。
v1.0.4
- Initializes version control with a .git directory and related metadata files.
- No changes to functional scripts or documentation content.
- No new features or breaking changes in the skill’s user-facing behavior.
v1.0.3
notify-hub 1.0.3
- Clarified instructions for creating the notify sub-address: now explicitly instructs to ignore install script outputs and avoid any post-creation commands.
- Added that the profile is automatically written after mailbox creation; no manual configuration needed.
- No functional or code changes; SKILL.md documentation improved for user guidance and clarity.
v1.0.2
notify-hub 1.0.2
- Improved: scripts/router.js and scripts/summarize.js updated.
- Internal adjustments for enhanced reliability or minor bug fixes.
v1.0.1
- Summary: This version updates the process for configuring the notify mailbox and introduces fully customizable routing rules via config file.
- Installation flow updated: After creating the notify sub-mailbox, users no longer need to execute the install script—just create and proceed.
- Routing rules can now be fully customized in `~/.config/notify-hub/config.json` using a `rules` array. Default rules are loaded unless overridden.
- Added step and CLI command for initializing and managing custom routing rules (`rules-init`, `rules-reset`).
- CLI parameters for router and summarize scripts simplified; custom routing and fallback logic clarified.
- Documentation improved for customizing, extending, and resetting routing behavior.
v1.0.0
notify-hub 1.0.0 — 首个版本发布
- 聚合 GitHub、Stripe、Linear 等多平台通知邮件到统一子邮箱,按紧急度分层处理。
- 支持自动路由:紧急通知(如收款与 CI 失败)实时转发,其余每日一封汇总。
- 自动从 mail-cli 主账号获取收件人邮箱,无需手动配置。
- 配置灵活,命令行参数与持久化配置文件双支持。
- 支持自定义关键词、平台过滤及 Cron 定时自动执行任务。
Metadata
Frequently Asked Questions
What is notify-hub?
多平台通知聚合分层。把 GitHub、Stripe、Linear 等 SaaS 平台的通知邮件统一收到一个子邮箱,按紧急度分层:收款/CI 失败立即转发到 claw 注册邮箱,其他通知每天一封汇总。Use when: (1) setting up a unified notification inbox for... It is an AI Agent Skill for Claude Code / OpenClaw, with 132 downloads so far.
How do I install notify-hub?
Run "/install notify-hub" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is notify-hub free?
Yes, notify-hub is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does notify-hub support?
notify-hub is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created notify-hub?
It is built and maintained by gucha (@1458428190); the current version is v1.0.5.
More Skills