EngageLab App Push
v1.0.1Call EngageLab App Push REST APIs to send push notifications and in-app messages to Android, iOS, and HarmonyOS devices; manage tags and aliases; create sche...
⭐ 0· 221·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description, SKILL.md, and the included Python client (EngageLabPush) consistently implement EngageLab App Push REST APIs (push, batch, device/tag/alias management, schedules, plans, recall, stats, image/voice endpoints). There are no required environment variables or binaries declared, and nothing in the files requests access to unrelated services or secrets.
Instruction Scope
SKILL.md instructs only to call the EngageLab REST endpoints and to request AppKey/Master Secret from the user if not provided. It documents endpoints, rate limits, and callback verification (HMAC-SHA256) for webhooks. The instructions do not direct reading of arbitrary local files, unrelated environment variables, or exfiltration to unexpected endpoints.
Install Mechanism
This is instruction-only with a bundled Python helper. No install spec is provided (low risk), but the Python client uses the requests library and assumes a Python runtime; the skill does not declare or install that dependency. This is a functional omission rather than a security issue, but the client may fail if requests is not present.
Credentials
The skill does not declare required env vars, but the documented authentication model requires sensitive AppKey and Master Secret (HTTP Basic Auth) which the SKILL.md says the agent should ask for when needed. Those credentials are appropriate and proportional for pushing notifications. No unrelated credentials or config paths are requested.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges or modify other skills. It will perform network calls to EngageLab endpoints when used. Autonomous invocation is allowed by platform default but not enabled as an always-on skill.
Assessment
This skill appears to do what it says: it wraps EngageLab App Push REST APIs. Before installing, consider: (1) You will need to provide your AppKey and Master Secret — treat these as sensitive and only supply them in a trusted environment; revoke/rotate them if you suspect misuse. (2) The bundled Python client uses the requests library but there is no install step — ensure your runtime has Python and requests installed or review the client before running. (3) The skill can send pushes and create scheduled tasks if given credentials; avoid enabling unattended/autonomous invocation if you don't want the agent to send notifications without explicit confirmation. (4) If you intend to accept callbacks, implement the recommended HMAC-SHA256 verification on your server and follow the echostr validation rules. (5) Review the push_client.py source yourself (or in a private environment) to confirm behavior and that it meets your policy before supplying credentials or using in production.Like a lobster shell, security has layers — review code before you run it.
latestvk978ymk5cvgqyk3ms6c06332nh83qfd6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.