Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Meta Ad Spy
v1.0.0Competitive intelligence skill for spying on competitor ads using Meta's Ad Library. Use this skill whenever the user wants to: research competitor Facebook/...
⭐ 0· 52·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with the implementation: Playwright scraping (phase 1) and optional Graph API calls (phase 2) are reasonable for extracting Meta Ad Library data and ad metadata. References to paid alternatives are consistent with the stated goal.
Instruction Scope
SKILL.md focuses on scraping Meta Ad Library and lookup helpers and does not request unrelated system files or secrets. However it instructs creation of a /tmp scraper, uses browser-stealth techniques (overriding navigator.webdriver, disabling AutomationControlled), and includes navigation/clicking logic — which gives the agent broad discretion to interact with third-party websites and could be used to evade detection. The instructions also assume the environment can run headless browsers and install packages.
Install Mechanism
There is no registry install spec, but the runtime instructions tell users to run pip install commands with the --break-system-packages flag and to run 'playwright install chromium'. These commands can modify system Python packages and will download/extract browser binaries, which is higher risk for an instruction-only skill. The install step is disproportionate for a passive analysis skill and could surprise users or require elevated permissions.
Credentials
The registry declares no required environment variables, which is consistent for Phase 1 (no token needed). Phase 2 (Graph API) clearly requires an access token, but the skill does not declare a primaryEnv or required env vars — this is acceptable if optional, but the absence should be made explicit to users (the skill will prompt for tokens if needed). References to third-party paid APIs indicate additional credentials may be needed if the user chooses them.
Persistence & Privilege
Skill is not always-enabled, requests no config paths, and has no install-time hooks declared in the registry. It does instruct writing a temporary scraper file to /tmp at runtime, which is normal for ephemeral scraping but should be run in a sandbox.
What to consider before installing
This skill appears to do what it says — automate Playwright scraping of Meta's Ad Library and optionally query the Graph API — but it asks you to install system-level Python packages and a headless Chromium binary and uses browser-stealth techniques. Before installing or running it: (1) avoid running pip with --break-system-packages on machines you care about — use a virtualenv or container; (2) run the scraper in a sandbox or isolated environment because it will download browser binaries and interact with external websites; (3) be aware Phase 2 needs a Meta access token if you want spend/impression data — supply that only if you trust the code and environment; (4) consider legal/ToS implications of scraping Meta; and (5) if you don't want to install binaries locally, prefer using vetted APIs (the references mention paid alternatives) or a hosted scraper service.Like a lobster shell, security has layers — review code before you run it.
latestvk97d3mzsre99mhy2ak1dx1wrr983xr2b
License
MIT-0
Free to use, modify, and redistribute. No attribution required.