TurboPush
Security checks across static analysis, malware telemetry, and agentic risk
Overview
TurboPush is a coherent publishing integration, but it can directly post to many logged-in public accounts and does not clearly require final user confirmation before publishing.
Before installing, make sure you trust the TurboPush MCP binary and understand that the skill can publish through logged-in accounts on many platforms. Use it with explicit prompts, review the target accounts and final content, and prefer draft/preview mode unless you are ready for public posting.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent misunderstands the request or selects the wrong accounts, it could publish unreviewed content to public platforms rather than saving a draft.
The normal workflow calls publishing tools, and the draft-only safety mode defaults to false, meaning direct publication is the default. The artifacts do not add a clear final user-confirmation requirement before posting to selected accounts.
4. 构造 `postAccounts` 数组,调用对应发布工具:`publish_article` / `publish_graph_text` / `publish_video` ... `syncDraft` ... 是否仅同步草稿(不直接发布),默认 false
Require an explicit user confirmation step that shows the final content, platforms, accounts, and whether the action is draft-only or public publish before calling any publish tool.
Anyone or any agent process with access to the local token and MCP server may be able to act through connected publishing accounts.
The skill uses a local authentication token and logged-in TurboPush accounts so it can publish through those accounts. This is expected for the stated purpose, and the artifact says credentials are locally managed.
`TURBO_PUSH_AUTH` | 认证 Token ... 账号凭证由 TurboPush 应用本地管理 ... 调用 `list_logged_accounts` 获取已登录账号
Install only on a trusted machine, protect the TURBO_PUSH_AUTH value, and review which accounts are logged in before using the skill.
The installed binary will handle local account publishing authority, so a compromised or unverified release could have significant account impact.
The package itself contains no reviewed code and instructs the user to build or download an external binary, then place it on PATH. This is common for MCP integrations but depends on the provenance of that external binary.
git clone https://github.com/xueyc/turbopush-mcp.git ... go build -o turbo-push-mcp . ... sudo mv turbo-push-mcp /usr/local/bin/ ... 或下载预编译二进制文件(推荐)
Use trusted releases, verify the source/release integrity where possible, and avoid installing unreviewed binaries with sudo on sensitive systems.