ClawHub

Shopify/WooCommerce Marketing Partner: Attribuly AllyClaw

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Attribuly marketing analytics skill, but it needs review because it combines sensitive ad/store data access with broad automatic triggers, raw Google/Meta query paths, and weak API-key handling guidance.

Install only if you intend to let an agent query Attribuly-connected store, revenue, funnel, Google Ads, and Meta Ads data. Use a least-privilege/read-only API key if available, avoid printing or storing the full key in shell/Docker files, confirm before any scheduled or chained report runs, and require human review before applying budget, pause, or bid recommendations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (41)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill’s stated purpose is analysis of Google Ads performance, but this section expands its capability to enumerate connected Google accounts and submit raw GAQL queries against multiple Google Ads resources. That materially broadens data access beyond the minimum needed for the declared task and creates a confused-deputy risk where a broadly triggered skill can pull sensitive account metadata and detailed ad/search-term data without tight scoping.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README instructs users to print and verify the full API key value and shows literal secret values in commands/output examples. This increases the risk of credential exposure through terminal scrollback, shell history, screen sharing, logs, and plaintext config files, especially because the same document also recommends storing the key in OpenClaw config and shell startup files.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README explicitly tells users to retrieve and display the configured API key, including an example that prints the full secret back to the terminal. This increases the chance of accidental disclosure through shell history, screen sharing, terminal logging, or copied output, especially in shared admin environments.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The README instructs users to send authenticated requests containing their API key to a remote service but provides no user-facing caution about handling credentials safely. While authenticated API use is expected for this product, the documentation normalizes direct manual use of secrets without warning about exposure risks in shell history, process inspection, logs, or copied commands.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly tells users to retrieve and display the configured API key value during verification, which can expose the full secret in terminal history, shell scrollback, logs, screen shares, or support screenshots. While this is documentation rather than executable code, it still creates a realistic secret-handling weakness because users are encouraged to reveal a live credential without masking guidance.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly instructs the agent to collect a website URL, business goals, and ideal customer profile data at onboarding, but it provides no minimization guidance, consent language, retention limits, or notice about how this information will be used. In a marketing analytics context, ICP details can include sensitive demographic and behavioral information, so silent collection increases privacy and compliance risk.

Natural-Language Policy Violations

Medium
Confidence
79% confidence
Finding
The skill mandates automatic language selection from the user's first message and requires the agent to continue in that language without confirming user preference. This can mis-handle multilingual users or shared accounts and may lead to confusion, mistaken disclosures, or inaccessible output, though it is primarily a UX and consent issue rather than a direct security flaw.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill declares activation on vague conversational context such as user distrust in platform-reported numbers and routine reconciliation periods. Broad triggers can cause unintended execution against sensitive marketing and store data, increasing the chance of unnecessary API calls, data exposure, or analysis being run outside explicit user intent.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The manual trigger phrases are broad, generic requests like 'Optimize audiences' and 'Who should I target?' that can easily match unrelated conversations. In an agentic system, this can cause the skill to activate outside its intended ecommerce-marketing context and initiate analysis flows or downstream API usage on the wrong user request.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs use of an external API with an API key and campaign performance data, but provides no warning, consent step, or data-handling constraints. This is dangerous because users or calling agents may transmit sensitive marketing and business data to a third-party service without clear disclosure or validation of credential and data-use policy.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The manual trigger phrases are broad, generic marketing-language prompts such as 'Optimize bids' and 'My CPA is too high', which can cause the skill to activate during ordinary discussion rather than explicit user intent. In an agentic system, ambiguous invocation can lead to unintended data retrieval, recommendations, or downstream API use without sufficiently clear user authorization.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The context triggers use vague conditions like 'after budget reallocation' or 'when profitability is declining' without precise activation boundaries. This makes the skill easier to invoke unintentionally from inferred state or conversational context, increasing the chance of surprise actions or analysis based on stale or partial data.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manual trigger phrases are very broad and overlap with normal analytical requests, which can cause the skill to activate when a user did not explicitly intend to perform budget-optimization actions. In a system that can influence recommendations or downstream automations, unintended invocation increases the chance of unsafe or context-misaligned spend guidance being produced.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill recommends reductions and immediate pauses for live campaigns without a prominent warning that these actions can directly affect ad delivery, learning phases, revenue, and customer acquisition. This is dangerous because users may treat the output as low-risk guidance and make abrupt operational changes that materially harm business performance.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The manual and context triggers are broad enough to activate on ordinary user requests such as asking for a quick update or what happened today. In an agentic environment, this can cause the skill to run unexpectedly and pull sensitive business-performance data without clear user intent, increasing the chance of unauthorized disclosure or surprise actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes external API use and business analytics processing but does not present a user-facing notice that sensitive commercial data will be sent to Attribuly endpoints. This weakens informed consent and transparency, and can lead users to expose spend, revenue, profit, and campaign performance data without realizing it leaves the local agent context.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The manual triggers are broad enough to match ordinary conversation about marketing status, increasing the chance the skill activates when the user did not intend to run a Google-specific diagnostic workflow. Because the skill performs external data retrieval and potentially sensitive account analysis, overbroad activation expands the chance of unintended data access and execution.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The context triggers are ambiguous and permit activation based on generic discussion of search campaigns, branded performance, or Shopping/PMax topics. In combination with the skill’s broad data-access features, this ambiguity increases the risk of unintended invocation and unnecessary retrieval of sensitive advertising and account data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly instructs transmission of Google Ads account data and advertising performance metrics to an external API using an API key, but it does not require any user notice, consent, or data-handling warning. In an agent context, this can cause silent exfiltration of sensitive business analytics and linked account identifiers to third-party infrastructure, which is especially risky because the skill is designed to run automatically on trigger conditions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to send analytics and marketing-segmentation data to an external API using an authenticated ApiKey, but it does not require any user-facing notice or confirmation before transmission. In environments where landing-page URLs, campaign names, source/medium values, spend, and revenue are sensitive business data, this can cause unintended external disclosure and violate data-handling expectations.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill defines very broad manual trigger phrases such as common questions about Meta/Facebook performance that are likely to occur in ordinary conversation. This can cause unintended activation of a high-privilege analytics workflow that performs multiple API calls and data retrieval steps without a strongly scoped user intent check.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The context triggers are underspecified and rely on vague topics like prospecting, creative fatigue, or audience performance, which could match many benign discussions. In an agent setting, ambiguous activation conditions increase the chance that the skill runs when the user did not intend to authorize data access or analysis.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to send ad performance, placement, device, and demographic data to external Attribuly/Meta-connected APIs, but provides no user-facing notice, consent check, or data minimization guidance. Even if these APIs are expected dependencies, transmitting marketing and audience-segmentation data without explicit disclosure or controls creates a real privacy and compliance risk.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill defines very broad manual and context triggers such as generic requests for marketing health, weekly reports, and what changed in performance. In an agent environment, these loose activation conditions can cause unintended invocation and unnecessary access to sensitive marketing analytics, increasing the chance of data exposure or accidental actions without clear user intent.

External Transmission

Medium
Category
Data Exfiltration
Content
**Purpose:** Fetch available conversion goals dynamically.

```bash
curl -X POST "https://data.api.attribuly.com/v2-4-2/api/get/setting-goals" \
  -H "ApiKey: $ATTRIBULY_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{}'
Confidence
92% confidence
Finding
curl -X POST "https://data.api.attribuly.com/v2-4-2/api/get/setting-goals" \ -H "ApiKey: $ATTRIBULY_API_KEY" \ -H "Content-Type: application/json" \ -d

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal