Back to skill

Security audit

Ads Manager Claw

Security checks across malware telemetry and agentic risk

Overview

This ads-management skill is purpose-aligned, but it asks for powerful ad-account credentials and enables spending or campaign changes without enough guardrails.

Install only if you are prepared to handle ad credentials carefully. Do not paste access tokens, API secrets, OAuth client files, refresh tokens, or customer lists into chat; use secure OAuth or a secret manager, grant least-privilege access, and require explicit confirmation before any budget change, campaign activation, pause, deletion, or audience upload.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (10)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill metadata promises analysis and recommendations before execution, but later sections instruct the agent to execute actions. This inconsistency can cause unsafe autonomous changes to ad accounts without the user’s informed approval, especially in a workflow that can spend money or alter campaigns.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The skill first says to confirm with the user before any action, but the final behavior says to always 'Analyze → Diagnose → Recommend → Execute.' In an ads-management context, that contradiction is dangerous because execution can directly change spend, pause campaigns, or deploy new campaigns, causing financial loss or operational disruption.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill asks the user to paste an Ad Account ID and access token directly into the conversation, without clear guidance on secure handling, least privilege, masking, or approved secret-sharing mechanisms. Access tokens are sensitive credentials that could enable unauthorized access to advertising accounts, campaign data, and billing-related operations if exposed or mishandled.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide instructs users to generate, copy, and exchange highly sensitive credentials including access tokens and an app secret, but provides no warning that these values grant API access and must be protected. In an agent skill context, users may paste these secrets directly into chats or insecure locations, increasing the risk of credential theft, account takeover, and unauthorized ad spend.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The Google Ads section tells users to create and download an OAuth client JSON file without warning that it contains sensitive client credentials. That omission is risky because users may upload or store the file insecurely, exposing secrets that can be abused to obtain or misuse API access depending on the surrounding OAuth flow and account configuration.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The X and Snapchat instructions describe generating API keys, API secrets, access tokens, client secrets, and refresh tokens without any confidentiality warning or safe-handling guidance. In a skill designed to manage ad campaigns, these credentials enable direct access to advertising accounts, so poor handling can lead to unauthorized campaign changes, data exposure, and fraudulent spending.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The reference documents creation of Custom Audiences from an email list and uploading hashed emails, but it omits any requirement for lawful basis, user consent, platform policy compliance, retention limits, or notice obligations. In an ads-management skill, this omission can normalize privacy-sensitive targeting workflows and lead users to ingest customer PII into advertising platforms without adequate authorization, creating legal, compliance, and trust risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The reference shows how to exchange a refresh token using a client secret and then use the returned access token, but it does not warn against storing these secrets in plaintext, exposing them in prompts, or logging request/response bodies. In an agent skill that may orchestrate API calls and surface debugging information, omission of credential-handling guidance increases the chance of accidental secret leakage and account compromise.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation encourages use of custom audiences built from hashed customer emails or phone numbers but gives no warning about consent, lawful basis, retention, or approved handling of personal data. Hashing reduces exposure but does not eliminate privacy or compliance risk, especially in an ads-management skill likely to process real customer data for Indian businesses across platforms.

Ssd 3

Medium
Confidence
98% confidence
Finding
Requesting highly sensitive access tokens in plain natural language creates a strong risk of credential exposure through chat logs, screenshots, model retention uncertainty, or accidental disclosure to downstream systems. Because the skill is for ad-platform management, such tokens could be used to read data, change campaigns, or abuse advertising spend.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.