ClawHub

pushplus

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward PushPlus notification skill that sends user-approved messages through a third-party notification service.

Install this only if you want your agent to send PushPlus notifications. Review the title, content, channel, recipient, and any webhook or callback destination before approving each send, and avoid sending passwords, API keys, personal data, or confidential logs unless you intentionally accept transmission through PushPlus.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly promotes sending notifications through the PushPlus HTTP API but does not warn that notification content and related metadata will be transmitted to a third-party service. This can cause users or downstream agents to send sensitive logs, alerts, or personal data off-platform without informed consent, especially because the skill is designed for automated agent use.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill description is broad enough to match generic user requests such as notifications, alerts, and reminders, which can cause the agent to invoke a capability that sends data to an external third-party service unexpectedly. Because this skill performs outbound network actions and can transmit user-provided content, overbroad triggering increases the risk of unintended data disclosure or unauthorized message sending.

External Transmission

Medium
Category
Data Exfiltration
Content
An [OpenClaw](https://clawhub.ai) agent skill that enables AI agents to send push notifications via [PushPlus](https://www.pushplus.plus) HTTP API to WeChat, email, webhook, SMS, and more.

**Zero dependencies** — works with any agent that has Shell/curl access. No MCP server or extra packages required.

## Features
Confidence
96% confidence
Finding
curl access. No MCP server or extra packages required. ## Features - **Direct HTTP API** — No extra dependencies, just curl - **8 channels**: WeChat, webhook, enterprise WeChat, email, SMS, voice, e

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal