ClawHub

Ad Engine

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims for Facebook ad deployment, but it ships with a hardcoded database credential and risky setup behavior that needs manual review.

Install only after reviewing or fixing the hardcoded Supabase credential, rotating that database password, and moving dependencies to a pinned setup step. Treat the Facebook token like a password with ad-spend authority, prefer environment variables or a secrets manager, and use preview/dry-run plus Ads Manager review before enabling campaigns or tracking.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
import subprocess
            print(f"Installing {pkg}...", file=sys.stderr)
            try:
                subprocess.check_call([
                    sys.executable, "-m", "pip", "install",
                    "--break-system-packages", "-q", pkg
                ])
Confidence
91% confidence
Finding
subprocess.check_call([ sys.executable, "-m", "pip", "install", "--break-system-packages", "-q", pkg ])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"--break-system-packages", "-q", pkg
                ])
            except subprocess.CalledProcessError:
                subprocess.check_call([
                    sys.executable, "-m", "pip", "install", "-q", pkg
                ])
Confidence
91% confidence
Finding
subprocess.check_call([ sys.executable, "-m", "pip", "install", "-q", pkg ])

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill documentation describes capabilities including local file reads/writes, network access, shell execution, and environment access, but it declares no permissions. This creates a transparency and governance failure: users and enforcement systems cannot accurately assess or constrain what the skill can do, which is especially risky because it handles credentials, installs software, and talks to external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
This is a real security issue because the skill's stated behavior omits sensitive and risky actions: runtime pip installation via subprocess, persistent local storage of Facebook credentials, and especially hardcoded default Supabase credentials/DSN. Hidden or under-disclosed behaviors reduce informed consent and reviewability, while embedded database credentials could directly expose backend data or enable unauthorized access if reused in practice.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill auto-installs Python packages by invoking pip during normal execution, which is unnecessary for basic ad assembly/deployment and materially increases risk. This can execute third-party package code, weaken environment controls with --break-system-packages, and make the skill's real behavior broader than advertised.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script embeds a full Supabase/Postgres DSN including credentials directly in source code. Hardcoded database credentials can be extracted by anyone with file access, enable unauthorized database access, and are especially dangerous here because the database likely contains campaign data and possibly other sensitive records.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The spec explicitly instructs setting up Facebook Pixel, Conversions API, custom conversions, UTM parameters, and retargeting flows, but provides no requirement to present a privacy notice, obtain consent where required, or document lawful basis for tracking. In an ad-deployment skill, this omission is security/privacy-relevant because it operationalizes cross-platform user tracking and audience profiling that can violate privacy obligations and expose collected behavioral data to misuse or noncompliant processing.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide instructs users to generate, copy, and use sensitive Facebook access tokens and app secrets, but it does not warn that these credentials grant ad-management capabilities and must be protected from logs, shell history, screenshots, chat transcripts, and shared terminals. In a server-side deployment workflow, omission of safe-handling guidance materially increases the chance of credential leakage and unauthorized ad account use.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The guide states that credentials will be saved to ~/.config/ad-engine/fb_config.json but provides no warning about local secret storage, file permissions, multi-user server risk, backups, or plaintext exposure. Because the skill runs on a server via SSH, storing a long-lived token in a config file without user-facing security precautions can enable account takeover or fraudulent ad deployment if the server or home directory is accessible.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The setup flow instructs the user to enter a long-lived Facebook access token and states it will be saved to ~/.config/ad-engine/fb_config.json, but it does not warn about the sensitivity of that token or the local compromise risk. Long-lived ad-management tokens can enable unauthorized ad creation, budget abuse, data exposure, and account misuse if the file is read by other local users, malware, backups, or misconfigured permissions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script persists Facebook access credentials to a local config file without a clear upfront warning that tokens will be stored on disk. Although file permissions are tightened afterward, storing long-lived marketing tokens locally increases the risk of credential theft from backups, local compromise, or multi-user systems.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal