ClawHub
Back to skill

Security audit

Admapix 1.0.13

Security checks across malware telemetry and agentic risk

Overview

This is a coherent AdMapix ad-search skill that sends confirmed search parameters to AdMapix and does not show hidden local access, persistence, or destructive behavior.

Install only if you intend to use AdMapix and are comfortable sending ad-search keywords, regions, dates, and filters to api.admapix.com. Avoid confidential client, campaign, or competitor terms unless that sharing is acceptable, and verify the displayed parameters before confirming each search.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs sending user-provided search terms and filters to a third-party API without a clear user-facing notice that their query data will leave the host platform. This creates a privacy and data-handling risk, especially if users enter sensitive competitor research terms, client names, or campaign details assuming the interaction is local.

External Transmission

Medium
Category
Data Exfiltration
Content
POST JSON, example:

```bash
curl -s -X POST "https://api.admapix.com/api/data/search" \
  -H "X-API-Key: $ADMAPIX_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"content_type":"creative","keyword":"puzzle game","page":1,"page_size":20,"sort_field":"3","sort_rule":"desc","generate_page":true}'
Confidence
95% confidence
Finding
curl -s -X POST "https://api.admapix.com/api/data/search" \ -H "X-API-Key: $ADMAPIX_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
**If set**, continue to the next step.

### Step 5: Build and Execute curl Command

After user confirmation, build the JSON body and call the API via curl.
Confidence
95% confidence
Finding
curl Command After user confirmation, build the JSON body and call the API via curl. **Build rules:** - `content_type` fixed to `"creative"` - `generate_page` fixed to `true` - Only include user-spe

External Transmission

Medium
Category
Data Exfiltration
Content
**Fetch data by calling the AdMapix API via curl.**

API endpoint: `https://api.admapix.com/api/data/search`
Authentication: Header `X-API-Key: $ADMAPIX_API_KEY` (environment variable, managed by the platform)

### Request Format
Confidence
93% confidence
Finding
https://api.admapix.com/

External Transmission

Medium
Category
Data Exfiltration
Content
POST JSON, example:

```bash
curl -s -X POST "https://api.admapix.com/api/data/search" \
  -H "X-API-Key: $ADMAPIX_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"content_type":"creative","keyword":"puzzle game","page":1,"page_size":20,"sort_field":"3","sort_rule":"desc","generate_page":true}'
Confidence
95% confidence
Finding
https://api.admapix.com/

External Transmission

Medium
Category
Data Exfiltration
Content
**Example:**

```bash
curl -s -X POST "https://api.admapix.com/api/data/search" \
  -H "X-API-Key: $ADMAPIX_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"content_type":"creative","keyword":"puzzle game","creative_team":["010"],"page":1,"page_size":20,"sort_field":"3","sort_rule":"desc","generate_page":true}'
Confidence
95% confidence
Finding
https://api.admapix.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.