Is digitallyborn/pushover-notify safe?

https://github.com/openclaw/skills/tree/main/skills/digitallyborn/pushover-notify

93
SAFE

pushover-notify is a clean, minimal skill that wraps a single HTTP POST to the official Pushover API. The SKILL.md contains no prompt injection, the JavaScript is fully readable with no obfuscated logic or malicious file access, and all canary honeypots remained intact throughout the audit. The only actionable findings are minor: CLI-arg credential passing (low severity) and an accidentally bundled personal lock.json (packaging sloppiness, not a security issue).

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 96/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (5)

LOW Credentials accepted via CLI arguments -7

pushover_send.js accepts --token and --user as command-line fallbacks. When credentials are passed this way rather than via environment variables, they appear in /proc//cmdline and ps output, making them visible to other processes on the same host.

LOW Arbitrary URL in notification body transits Pushover servers -5

The --url and --message fields accept arbitrary content that is sent verbatim to Pushover's API. If an agent is instructed (by another skill or user prompt) to include sensitive context in a notification, that data would transit a third-party service. This is not malicious behavior by this skill, but a general risk inherent to any notification forwarding skill.

INFO Stale personal lock.json bundled in skill -12

The .clawhub/lock.json file shipped inside the skill directory records the author's own installed skill state (academic-research-hub v0.1.0, installedAt 1770957475341). This file has no effect on consumers but reflects packaging sloppiness — the author did not clean their working directory before publishing.

INFO Canary PATH audit records attributed to Oathe monitoring system 0

PATH audit records show sensitive file paths (.env, .ssh/id_rsa, .aws/credentials, etc.) accessed at timestamps 1771925651 (pre-install) and 1771925673 (post-install). Cross-referencing with EXECVE events, these accesses align with Oathe's own periodic canary integrity checks, not with any skill-initiated process. All canary files confirmed unmodified.

INFO No package.json — zero install-time code execution risk 0

The skill ships no package.json, eliminating any npm lifecycle hook attack surface. The Node.js script uses only built-in APIs (fetch, process) available in modern Node without installation.