ClawHub

ad-intelligence-skill

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only ad research skill that uses public ad-library scraping and optional third-party APIs, with no hidden install behavior or persistence found.

Install only if you are comfortable with an agent making web requests to ad platforms and named third-party providers for competitor research. Prefer Phase 1 for public lookups, use API keys only for providers you trust, and avoid sensitive investigation terms unless you are comfortable sending them to the chosen platform or API service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases are broad enough to match generic marketing or ad-research requests, which can cause this skill to activate when the user did not specifically ask for ad-library intelligence or scraping. In a system with tool/skill routing, this increases the chance of unnecessary web-scraping behavior, over-collection of third-party data, and responses that drift beyond the user's actual intent.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The file provides operational guidance for scraping LinkedIn and sending company queries plus API credentials to multiple third-party services, but it omits safeguards around user consent, data handling, rate limits, vendor trust, and compliance with platform terms. In a reusable agent skill, that omission is dangerous because it can cause downstream agents to perform external data transfers and scraping by default without any policy gate or warning.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This section instructs users to scrape Meta Ad Library and use unofficial third-party services without clearly warning that brand names, search queries, page IDs, and potentially derived business intelligence requests will be sent to external services. In a competitive-intelligence skill, users may assume local analysis, so the omission creates a real privacy, compliance, and data-handling risk even if no secret is directly exposed in the examples.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guidance tells users to generate access tokens and provide API keys but does not include any warning that these credentials are sensitive secrets that must not be logged, hardcoded, or shared with third-party tools unnecessarily. Because the skill encourages automation across official and commercial APIs, poor credential handling could lead to account abuse, unauthorized data access, billing fraud, or token leakage through logs and transcripts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal