Back to skill

Security audit

Harmonyos Mobpush Integration

Security checks across malware telemetry and agentic risk

Overview

This skill is a transparent HarmonyOS MobPush integration helper, with expected project edits and credential prompts gated by user confirmations.

Install this only if you want help integrating MobPush into a HarmonyOS NEXT project. Confirm MobPush is the intended provider, review every proposed file change before approving it, and avoid using production app secrets unless you are comfortable storing them in the project configuration and source files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
77% confidence
Finding
The trigger description is broad enough that the skill may activate on general push-notification or HarmonyOS assistance requests, causing it to steer users into a workflow that asks for project paths and performs file/config changes. Over-broad activation increases the chance of unintended invocation of a high-impact integration skill that can modify project files and install dependencies.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The applicable-scenario list includes broad intents like helping configure push notifications or one-click integration, which can match ordinary advisory requests and escalate into operational changes. In this skill's context, that is more dangerous because later steps involve generating files, collecting secrets, editing project configuration, and inserting SDK initialization code.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.