Skills
skills/novuhq/skills/novu-trigger-notification/Gen Agent Trust Hub

novu-trigger-notification

Pass

Audited by Gen Agent Trust Hub on May 11, 2026

Risk Level: SAFE
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill utilizes the official Novu SDKs (@novu/api for Node.js and novu-py for Python) downloaded from standard package registries (NPM and PyPI).
  • [DATA_EXFILTRATION]: The skill facilitates sending notification data, subscriber details, and metadata to the official Novu API endpoint (api.novu.co). This is documented and is the core intended purpose of the skill.
  • [PROMPT_INJECTION]: The skill accepts arbitrary data in the payload field which is then processed by Novu workflows. While this represents a surface for indirect prompt injection, the risk is mitigated by the platform's architectural design. The documentation correctly identifies this as a pitfall and recommends using payloadSchema for validation.
  • [CREDENTIALS_UNSAFE]: The skill documentation correctly instructs users to manage sensitive credentials like NOVU_SECRET_KEY using environment variables or secret management systems rather than hardcoding them.
Audit Metadata
Risk Level
SAFE
Analyzed
May 11, 2026, 03:50 PM