pp-pushover
Pass
Audited by Gen Agent Trust Hub on May 23, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill installs the
pushover-pp-clitool usingnpx -y @mvanhorn/printing-press install pushover --cli-only. This is a remote package installation from the author's own NPM scope. - [DATA_EXFILTRATION]: The CLI supports a
--deliver webhook:<url>flag, which allows the output of any command to be POSTed to an arbitrary URL. This creates a surface for data exfiltration if the agent is provided with an attacker-controlled URL. - [DATA_EXFILTRATION]: The
feedbackcommand can automatically send local feedback data to a remote server if thePUSHOVER_FEEDBACK_ENDPOINTenvironment variable is configured and specific flags or auto-send variables are set. - [COMMAND_EXECUTION]: The skill executes various subcommands of the
pushover-pp-clibinary based on user arguments, including those for managing groups, devices, and licenses.
Audit Metadata