ClawHub

pushplus

v1.0.1

Send push notifications via pushplus HTTP API to WeChat, email, webhook, SMS and more. Use when the user asks to send notifications, push messages, WeChat me...

1· 182·0 current·0 all-time
by陈大人@pcstx
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match what the skill asks for: it sends messages via PushPlus and declares the single primary credential PUSHPLUS_TOKEN. No unrelated credentials, binaries, or install steps are requested.
Instruction Scope
SKILL.md gives concrete curl examples and a clear flow (fetch token from conversation/env/.env line, construct JSON, run curl). It explicitly instructs to only extract the PUSHPLUS_TOKEN line from .env and to always ask for user confirmation before sending. This is appropriately scoped, but because the skill is instruction-only there is no enforcement — the agent executing the instructions must actually follow the guidance (especially the '.env only the PUSHPLUS_TOKEN line' constraint and 'always confirm' rule).
Install Mechanism
No install spec or code is included (instruction-only). No downloads or archives. Low installation risk.
Credentials
Only the single PUSHPLUS_TOKEN credential is declared as primary and required. That is proportional to a notification-sending skill. The SKILL.md also warns not to log or store the token and provides guidance for safe handling.
Persistence & Privilege
always is false and the skill does not request system-level persistence or modify other skills. It does not ask to store credentials or write files (SKILL.md explicitly forbids storing the token).
Assessment
This skill appears coherent and low-risk: it only needs a PushPlus API token and uses curl to call the official PushPlus endpoints. Before installing or using it, consider: (1) Provide the token via environment variable rather than pasting it into chat to avoid leaking it in conversation history. (2) Confirm the agent follows the SKILL.md safety rules — especially that it asks you for confirmation before sending any message and does not store or print the full token. Because the skill is instruction-only, there is no code enforcing those rules; they depend on the agent implementation. (3) Avoid including sensitive secrets or PII in messages sent through a third-party service; if you must, review PushPlus’s privacy/security policy. (4) If the token is ever exposed, revoke/regenerate it immediately. If you want stronger guarantees, prefer a skill with audited code or one that performs token handling within vetted code rather than free-form agent instructions.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b7d91d85kjjtk9qzjzh3hv983hkt6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Primary envPUSHPLUS_TOKEN

Comments