← 返回 Skills 市场
132
总下载
0
收藏
0
当前安装
6
版本数
在 OpenClaw 中安装
/install notify-hub
功能描述
多平台通知聚合分层。把 GitHub、Stripe、Linear 等 SaaS 平台的通知邮件统一收到一个子邮箱,按紧急度分层:收款/CI 失败立即转发到 claw 注册邮箱,其他通知每天一封汇总。Use when: (1) setting up a unified notification inbox for...
安全使用建议
This skill is broadly coherent with its stated purpose but take these precautions before installing or running it:
- Install and verify mail-cli yourself rather than relying on the skill's npx fallback; inspect the mail-cli project and its npm package to confirm it's the official client. The skill's metadata failing to list mail-cli as a required binary is an oversight.
- Understand that the skill will read full message metadata and bodies from the notify mailbox and will forward message contents to the primary account. If those emails contain sensitive content (invoices, tokens, links), they will be transmitted to whatever primary address mail-cli reports.
- The scripts run shell commands via child_process.execSync; running them implicitly executes mail-cli commands under your environment. If mail-cli is missing, the code uses 'npx mail-cli' which will download and execute code from npm on demand — if you prefer to avoid that, install mail-cli globally first.
- The SKILL.md's instruction to "ignore any 'Install Script' prompts" is unusual. Do not blindly ignore prompts from the mail-cli installer or other tools — review any suggested install steps manually before skipping them.
- Test with --dry-run to confirm behavior before enabling automated cron/agent scheduling. Inspect ~/.config/notify-hub/config.json and the temp log files to confirm routes and contents.
If you want to proceed, manually install and configure mail-cli from a trusted source, confirm the notify profile works, run router.js with --dry-run, and review the digests produced by summarize.js before enabling automatic scheduling.
功能分析
Type: OpenClaw Skill
Name: notify-hub
Version: 1.0.5
The skill is classified as suspicious due to a potential Remote Code Execution (RCE) vulnerability in `scripts/router.js` and `scripts/summarize.js`. These scripts use `execSync` to execute shell commands via `mail-cli` and include email subjects—which are untrusted external inputs—directly in the command string. The sanitization is insufficient (only escaping double quotes), allowing an attacker to execute arbitrary commands by sending an email with a subject containing shell metacharacters (e.g., backticks or command substitutions). While the skill's stated purpose of notification aggregation appears legitimate, this implementation flaw poses a significant security risk.
能力标签
能力评估
Purpose & Capability
The skill's stated goal (aggregate and route SaaS notification emails) matches what the scripts do: they use a mail-cli tool to read a mailbox, forward urgent messages to the primary account, and append others to a daily log/digest. However the registry metadata claims no required binaries while SKILL.md and the scripts clearly require a 'mail-cli' binary (or npx fallback). This metadata omission is an inconsistency that should have been declared.
Instruction Scope
The SKILL.md and bundled scripts limit their actions to mail-cli operations, local config (~/.config/notify-hub/config.json), and daily logs in the OS temp dir. The scripts read message metadata and bodies, forward messages, mark messages read, and compose/send digests. Those behaviors are within the stated purpose. Two noteworthy items: (1) the docs explicitly instruct ignoring any 'Install Script' suggested by mail-cli output — an odd instruction that users should not follow blindly, and (2) the scripts call external commands (mail-cli / npx mail-cli) so runtime behavior depends on that tool.
Install Mechanism
There is no install spec in the registry (instruction-only), which minimizes upfront disk writes from the skill itself. But the code uses a fallback of 'npx mail-cli' when mail-cli is not found; that will fetch and execute a package from the npm registry at runtime. This is a legitimate convenience but increases risk compared with requiring the user to install mail-cli explicitly from a verified source.
Credentials
The skill requests no environment variables and stores its own config under ~/.config/notify-hub. It relies on mail-cli being configured with credentials (mail-cli's config holds the mailbox API key) and will fetch the primary email via mail-cli. Access to the mail account is necessary for the skill's purpose, but the registry metadata did not declare the binary dependency or describe the credential model; users should be aware the skill will access and forward mailbox contents (which may include sensitive data).
Persistence & Privilege
The skill does not request 'always: true' or elevated platform privileges. It writes a per-user config under ~/.config/notify-hub and stores temporary JSONL logs in the OS temp directory; this is consistent with its functionality. It does not modify other skills or system-wide agent settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install notify-hub - 安装完成后,直接呼叫该 Skill 的名称或使用
/notify-hub触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.5
Version 1.0.5
- 推荐通知邮件转发方式由“直接改收件地址”切换为“配置原邮箱转发规则”,并标注改平台收件邮箱不推荐(因需验证)。
- 工作流中“配置平台通知接收”步骤调整两种方式顺序,并对推荐度及注意事项进行说明。
- 其他内容未做功能性变更,仅对表述和指导流程进行了细化和优化。
v1.0.4
- Initializes version control with a .git directory and related metadata files.
- No changes to functional scripts or documentation content.
- No new features or breaking changes in the skill’s user-facing behavior.
v1.0.3
notify-hub 1.0.3
- Clarified instructions for creating the notify sub-address: now explicitly instructs to ignore install script outputs and avoid any post-creation commands.
- Added that the profile is automatically written after mailbox creation; no manual configuration needed.
- No functional or code changes; SKILL.md documentation improved for user guidance and clarity.
v1.0.2
notify-hub 1.0.2
- Improved: scripts/router.js and scripts/summarize.js updated.
- Internal adjustments for enhanced reliability or minor bug fixes.
v1.0.1
- Summary: This version updates the process for configuring the notify mailbox and introduces fully customizable routing rules via config file.
- Installation flow updated: After creating the notify sub-mailbox, users no longer need to execute the install script—just create and proceed.
- Routing rules can now be fully customized in `~/.config/notify-hub/config.json` using a `rules` array. Default rules are loaded unless overridden.
- Added step and CLI command for initializing and managing custom routing rules (`rules-init`, `rules-reset`).
- CLI parameters for router and summarize scripts simplified; custom routing and fallback logic clarified.
- Documentation improved for customizing, extending, and resetting routing behavior.
v1.0.0
notify-hub 1.0.0 — 首个版本发布
- 聚合 GitHub、Stripe、Linear 等多平台通知邮件到统一子邮箱,按紧急度分层处理。
- 支持自动路由:紧急通知(如收款与 CI 失败)实时转发,其余每日一封汇总。
- 自动从 mail-cli 主账号获取收件人邮箱,无需手动配置。
- 配置灵活,命令行参数与持久化配置文件双支持。
- 支持自定义关键词、平台过滤及 Cron 定时自动执行任务。
元数据
常见问题
notify-hub 是什么?
多平台通知聚合分层。把 GitHub、Stripe、Linear 等 SaaS 平台的通知邮件统一收到一个子邮箱,按紧急度分层:收款/CI 失败立即转发到 claw 注册邮箱,其他通知每天一封汇总。Use when: (1) setting up a unified notification inbox for... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 132 次。
如何安装 notify-hub?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install notify-hub」即可一键安装,无需额外配置。
notify-hub 是免费的吗?
是的,notify-hub 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
notify-hub 支持哪些平台?
notify-hub 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 notify-hub?
由 gucha(@1458428190)开发并维护,当前版本 v1.0.5。
推荐 Skills