EngageLab Web Push
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill is a straightforward EngageLab Web Push API wrapper, but it can use EngageLab master credentials to send or schedule notifications and modify or delete device records.
Before installing, understand that this skill lets an agent call EngageLab Web Push APIs with your AppKey and Master Secret. Only use it when you want the agent to manage web push notifications, verify exact targets and message content, and require confirmation for broadcast, group, scheduled, or delete operations.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken request could send unwanted notifications broadly, schedule future campaigns, or delete a web push user/device record.
The skill exposes broad, mutating EngageLab API operations including broadcast/group sends, batch sends, scheduling, and user deletion. These are disclosed and aligned with the skill purpose, but they can affect many end users or remove data if invoked with the wrong target.
Create Push — Send notification or message... Batch Single Push... Group Push... Delete User — Delete a user (registration_id) and all associated data
Use only after an explicit user request, preview the exact target and payload, and require clear confirmation for broadcast, group, batch, scheduled, update, and delete operations.
Anyone or any agent flow with the Master Secret may be able to send pushes or change EngageLab web push records for the application.
The skill needs provider credentials with enough authority to call EngageLab Web Push APIs. This is expected for the integration, but the Master Secret should be treated as a sensitive credential.
Authorization: Basic base64(appKey:masterSecret)... If the user hasn't provided credentials, ask for AppKey and Master Secret
Provide credentials only in a trusted session, prefer least-privilege credentials if EngageLab supports them, and rotate the Master Secret if it may have been exposed.
A scheduled campaign could continue sending later if created with incorrect timing, targeting, or content.
The helper can create provider-side scheduled push tasks. This is documented and purpose-aligned, but scheduled tasks may continue after the current interaction unless managed or deleted.
def schedule_create(self, name: str, trigger: dict, push: dict, enabled: bool = True) -> dict:
Confirm schedule details before creation and keep the returned schedule ID so the task can be reviewed, updated, disabled, or deleted.