ClawHub

EngageLab App Push

Security checks across malware telemetry and agentic risk

Overview

This is a coherent EngageLab push-notification API helper, but it can perform real account-level sends, recalls, schedules, and irreversible user deletion without strong built-in confirmation guidance.

Install only if you control the EngageLab application and want an agent to help prepare or call its push APIs. Before any live send, recall, schedule change, tag/alias mutation, or user deletion, confirm the exact app, audience, identifiers, message content, and consequences; use validation/read-only calls first where possible, protect the Master Secret, and require HMAC verification for callbacks in production.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list includes broad terms such as 'push notification', 'tag alias', and 'push statistics', which can match many ordinary requests beyond this specific vendor integration. Overbroad activation increases the chance the skill is invoked in contexts where the user did not intend to use EngageLab, causing accidental external API usage or credential solicitation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill advertises destructive and privacy-impacting operations like deleting users, modifying tags/aliases, scheduling pushes, and recalling messages without consistently requiring explicit user-facing warnings or confirmation. In practice, this could lead to unintended deletion of device/user records or changes to messaging state that affect end users and compliance obligations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation explicitly describes callback verification as optional even though the endpoint accepts inbound POSTs that influence business analytics and event processing. If implementers skip signature validation, an attacker can forge callback requests to inject fake delivery or click events, poison metrics, trigger downstream automation, or abuse any business logic tied to callback processing.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal