Pushover

Security checks across malware telemetry and agentic risk

Overview

This Pushover skill is coherent and disclosed, but users should treat its Pushover and Team API token handling as sensitive.

Install only if you intend to let the agent operate your Pushover account through OOMOL. Confirm every send, write, license, team, group, or deletion action before it runs, and avoid using token-return or token-storage actions unless you specifically need them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly instructs users to persist a Pushover Team API token for later use, but provides no warning that the value is a sensitive credential requiring secure handling, least-privilege use, and careful access control. Storing long-lived API tokens in provider connection extras can increase exposure through logs, misconfiguration, overly broad access to saved connections, or reuse beyond the immediate task.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal