ClawHub

Amazon Ads CLI

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Amazon Ads reporting helper, but it requires sensitive Amazon Ads OAuth credentials and care around downloaded business data.

Install only if you trust the external npm CLI and are comfortable granting it Amazon Ads API access. Prefer least-privileged, short-lived credentials; avoid printing tokens or credential file contents; protect any credentials file with restrictive permissions; and treat report downloads, report URLs, and ad performance data as sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill is described as 'read-only', but it instructs use of async report commands that create report-generation jobs server-side. That mismatch can mislead an operator into believing no state-changing actions occur, weakening informed consent and risk assessment even if the action is relatively limited.

Intent-Code Divergence

Medium
Confidence
85% confidence
Finding
The documentation simultaneously claims the tool is read-only while later describing report creation and audience-management capabilities, creating inconsistent security expectations. In an agent setting, such ambiguity can cause the system or user to permit actions they would otherwise scrutinize or block.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill instructs handling OAuth access tokens, reading credentials from disk, and later downloading report data, but it does not warn about secret exposure, log leakage, filesystem persistence, or sensitivity of report contents. In an agent workflow, this increases the chance that credentials or downloaded business data are mishandled or exposed to other tools, prompts, or logs.

Credential Access

High
Category
Privilege Escalation
Content
## Authentication

The CLI requires an Amazon OAuth2 **access token** and **client ID** from a Login with Amazon app. Credentials are resolved in this order:

1. `--credentials <path>` flag (per-command) -- reads the specified JSON file
2. Auto-detected file: `~/.config/amazon-ads-open-cli/credentials.json`
Confidence
94% confidence
Finding
access token

Session Persistence

Medium
Category
Rogue Agent
Content
## Error handling

- **"No credentials found"** -- ask the user to set `AMAZON_ADS_ACCESS_TOKEN` + `AMAZON_ADS_CLIENT_ID` env vars, or create `~/.config/amazon-ads-open-cli/credentials.json`
- **"Profile ID required"** -- the command needs `AMAZON_ADS_PROFILE_ID`. Run `profiles` first to discover available profile IDs
- **HTTP 401** -- access token is expired or invalid; ask the user to refresh their OAuth token
- **HTTP 403** -- the profile may not have access to the requested resource, or the API scope is insufficient
Confidence
80% confidence
Finding
create `~/.config

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal