novu
Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill references several official SDKs and packages including
@novu/api,@novu/react,@novu/nextjs,@novu/js, andnovu-py. These are all maintained by the vendor (Novu) and are legitimate dependencies for the service. - [COMMAND_EXECUTION]: Examples include standard package manager commands (npm, yarn, pnpm, pip) and
curlrequests to the official Novu API (api.novu.co). These are intended for setup and testing purposes and do not execute untrusted remote code. - [CREDENTIALS_UNSAFE]: The skill correctly identifies the need for a server-side
NOVU_SECRET_KEYand recommends using environment variables to manage it. Code snippets use placeholders likeYOUR_SECRET_KEYrather than hardcoding actual credentials. - [DATA_EXFILTRATION]: While the skill sends data to external endpoints (
api.novu.co), this is the core functionality of the notification service. There is no evidence of data being sent to unauthorized or unknown third-party domains.
Audit Metadata