pushplus
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent PushPlus notification skill, but it uses your PushPlus token and sends message content through a third-party notification service.
This skill looks safe to install if you intend to let your agent send PushPlus notifications. Only provide a PushPlus token you are comfortable using, verify the message and destination before each send, and avoid sending secrets or personal information through third-party notification channels unless necessary.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved, the agent can send the requested notification through PushPlus using a shell command.
The skill instructs the agent to use Shell/curl to make outbound PushPlus API calls. This is expected for a curl-based notification skill and is paired with explicit confirmation requirements.
“使用 Shell 工具执行 curl 命令” / “https://www.pushplus.plus/send”
Before confirming, review the message title, content, channel, and recipient options; do not let the agent send messages automatically.
The token lets the agent send notifications through the user's PushPlus account.
The skill needs a PushPlus token and may obtain it from the user, environment, or a scoped .env lookup. This is expected for the service and the artifact explicitly limits what should be read.
“用户需要提供 `PUSHPLUS_TOKEN` … 获取 token 的方式 … 环境变量 `PUSHPLUS_TOKEN` … 从项目根目录 `.env` 文件中**仅提取** `PUSHPLUS_TOKEN`”
Provide only the PushPlus token, keep it out of chat when possible, and make sure the agent masks the token and does not read unrelated .env secrets.
Anything included in the notification may leave the local environment and be processed by PushPlus and the selected channel.
Notification content is sent to PushPlus and possibly onward to external channels such as email, SMS, or webhooks. The artifact discloses this and tells the agent to warn users before sending sensitive data.
“通过 pushplus HTTP API 直接向微信、邮箱、webhook、短信等渠道推送消息” and “消息将通过第三方服务(pushplus.plus)传输”
Avoid sending passwords, keys, personal data, or confidential logs unless you intentionally accept the third-party transmission.