pp-pushover

Pass

Audited by Gen Agent Trust Hub on May 23, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill installs the pushover-pp-cli tool using npx -y @mvanhorn/printing-press install pushover --cli-only. This is a remote package installation from the author's own NPM scope.
  • [DATA_EXFILTRATION]: The CLI supports a --deliver webhook:<url> flag, which allows the output of any command to be POSTed to an arbitrary URL. This creates a surface for data exfiltration if the agent is provided with an attacker-controlled URL.
  • [DATA_EXFILTRATION]: The feedback command can automatically send local feedback data to a remote server if the PUSHOVER_FEEDBACK_ENDPOINT environment variable is configured and specific flags or auto-send variables are set.
  • [COMMAND_EXECUTION]: The skill executes various subcommands of the pushover-pp-cli binary based on user arguments, including those for managing groups, devices, and licenses.
Audit Metadata
Risk Level
SAFE
Analyzed
May 23, 2026, 04:24 AM
Security Audit — agent-trust-hub — pp-pushover