Back to skill

Security audit

Push by Techulus

Security checks across malware telemetry and agentic risk

Overview

This skill is a narrow Push by Techulus connector wrapper that can send notifications, with its write actions disclosed and confirmation instructions included.

Install only if you intend to let your agent send Push by Techulus notifications through an OOMOL-connected account. Before any send action, verify the message body, target group or all-device scope, and account/team API key context, because notification sends are external side effects.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The invocation guidance is overly broad: 'Use this skill for ANY Push by Techulus request' can cause an agent to select this skill whenever Push by Techulus is merely mentioned, even when the user's intent is informational, comparative, or unrelated to taking connector-backed actions. That increases the chance of unnecessary external calls and, combined with the skill's write-capable actions, can lead to unintended notifications being sent if downstream confirmation logic is weak or bypassed.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.