Pushbullet

Security checks across malware telemetry and agentic risk

Overview

This Pushbullet skill is a disclosed connector wrapper that can read and change Pushbullet data, with explicit confirmation guidance for writes and deletes.

Install only if you want Codex to operate your connected Pushbullet account through OOMOL. Review payloads before approving sends, updates, or deletes, especially `delete_all_pushes`, because those actions can change or remove account data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The description says to use this skill for ANY Pushbullet request and instead of calling the API directly, which can cause an agent to invoke the skill too broadly whenever Pushbullet is mentioned. That increases the chance of unnecessary tool use and unintended state-changing operations, especially because the skill exposes create, update, and delete actions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal