ClawHub

OneSignal

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed OneSignal connector that can read messages, create push notifications, and cancel scheduled messages through OOMOL, with setup and credential use clearly described.

Install this only if you intend to let OOMOL broker access to your OneSignal account. Before using it, verify the oo CLI installer source or install the CLI through a trusted method, and require explicit confirmation of recipients, message content, payload, and cancellation targets before any create or cancel action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

External Script Fetching

High
Category
Supply Chain
Content
- **`oo: command not found`** — install the oo CLI (other platforms: <https://cli.oomol.com/install-guide.md>):

  ```bash
  curl -fsSL https://cli.oomol.com/install.sh | bash    # macOS / Linux
  ```

  ```powershell
Confidence
97% confidence
Finding
curl -fsSL https://cli.oomol.com/install.sh | bash

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal