Back to skill

Security audit

pushplus

Security checks across malware telemetry and agentic risk

Overview

This PushPlus skill is a disclosed notification integration with powerful optional account-management features that users should invoke carefully.

Install this only if you want an agent to send PushPlus notifications and, when optional OpenAPI credentials are provided, manage parts of your PushPlus account. Use a message token for ordinary sending, withhold USER_TOKEN and SECRET_KEY unless account administration is needed, avoid verbose mode with real tokens, and require explicit confirmation before deleting or changing tokens, groups, friends, webhooks, settings, preprocessing rules, or paid delivery channels.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares environment-variable and network-driven capabilities but does not expose an explicit permissions model, so an agent platform or reviewer may underestimate that it can read secrets and perform outbound API actions. In this skill, those capabilities are material because the documented functions can send messages, query account data, and perform administrative OpenAPI operations using stored tokens and secret keys.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The advertised purpose centers on message sending and notification management, but the documented behavior extends into broad account administration: token lifecycle management, group/user administration, settings changes, friend management, QR code generation, and preprocessing code testing. This mismatch is dangerous because users or orchestrators may invoke the skill expecting low-risk notification behavior while actually granting a tool that can modify or delete account resources and alter delivery/security settings.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The module exposes a much broader set of privileged account-management capabilities than the skill metadata suggests, including user/profile access, friend management, group administration, token management, webhook management, and settings changes. In an agent setting, this capability mismatch is dangerous because a caller expecting only notification sending/querying may unknowingly grant the skill authority to perform destructive or privacy-impacting actions across the account.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The webhook functions allow creation and modification of arbitrary outbound destinations, including custom URLs, headers, body, and HTTP methods. In an agent environment this can be abused to exfiltrate data, relay requests to attacker-controlled infrastructure, or silently reconfigure notification flows beyond the expected scope of a push-notification skill.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
When verbose mode is enabled, the script prints the full JSON request body before sending it. That body includes the PushPlus token and message content, so secrets and sensitive notification data can be exposed to terminal logs, CI logs, shell history capture systems, or shared observability pipelines.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill exposes irreversible remote deletion of messages without any built-in confirmation, dry-run mode, or secondary authorization. In an agentic workflow, accidental invocation, prompt manipulation, or misuse by another tool can cause permanent loss of message visibility for all recipients.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The file provides many state-changing operations—editing tokens, topics, webhooks, settings, friends, subscribers, and pre-processing rules—without any confirmation or user-visible warning. In a tool-using agent context, broad unguarded mutation endpoints significantly increase the risk of unintended account takeover-like changes, service disruption, privacy violations, or persistent reconfiguration.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/pushplus_openapi.py:27