ClawHub

Ad Platform Tracker Skill

Security checks across malware telemetry and agentic risk

Overview

This is a read-only advertising research skill that uses public platform sources and optional scraper tools, with no hidden install code or persistence.

Install this if you want help tracking public Meta/Google Ads changes and competitor ads. Before using scraper or API workflows, confirm the target sites are public, avoid sending sensitive business data unnecessarily, review third-party tool terms, and provide tokens only when you intentionally want those external calls made.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill’s trigger scope is extremely broad and explicitly says to "always use this skill," which can override normal tool-selection judgment and route many ordinary ad-related queries into a workflow that depends on dynamic external sources. That increases the chance of unnecessary external access, over-collection of user/task context, and degraded answer integrity if the referenced trackers or downstream scraping steps are stale, inaccurate, or manipulated.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs use of external scraping tools and third-party actors for competitor monitoring without any consent, disclosure, minimization, or policy-compliance checks. In practice, this can cause user queries, target URLs, advertiser identifiers, or monitoring targets to be transmitted to outside services and may encourage collection workflows that violate platform terms or privacy expectations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal