Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Pinterest Ads CLI
v1.0.0Pinterest Ads data analysis and reporting via pinterest-ads-cli. Use when the user wants to check Pinterest ad performance, pull campaign/ad group/ad stats,...
⭐ 0· 52·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes a read-only Pinterest Ads CLI and the commands and scopes (ads:read, catalogs:read, billing:read, etc.) match that purpose. However the skill metadata declares no required environment variables or primary credential even though the runtime instructions explicitly require a Pinterest OAuth access token (PINTEREST_ADS_ACCESS_TOKEN or ~/.config/pinterest-ads-cli/credentials.json). This metadata omission is inconsistent and should be corrected.
Instruction Scope
Runtime instructions are limited to running the pinterest-ads-cli commands, guidance for authentication, and CLI options. The instructions reference only a credential file inside ~/.config/pinterest-ads-cli and an environment variable for the token — nothing else on the system is requested or read by the prose.
Install Mechanism
There is no install spec in the skill bundle (lowest risk), but the SKILL.md instructs the user to run 'npm install -g pinterest-ads-cli'. Installing a global npm package runs arbitrary code from the npm registry and is higher risk than an instruction-only skill. The skill does not provide a verified homepage, release URL, or checksum; users should verify the npm package author and source before installing globally.
Credentials
The only credential the tool needs (Pinterest OAuth access token) is reasonable for the described functionality, but the skill metadata does not declare it. The SKILL.md states credentials are resolved from an env var (PINTEREST_ADS_ACCESS_TOKEN) or a credentials file at ~/.config/pinterest-ads-cli/credentials.json — the agent (or user) may inadvertently expose that token if not careful. The lack of declared required env vars in the metadata is a notable mismatch.
Persistence & Privilege
The skill does not request always: true, does not include install-time hooks in the bundle, and is instruction-only. There is no requested persistent elevated privilege in the skill manifest.
What to consider before installing
This skill appears to be a wrapper around a Pinterest CLI and its commands are coherent, but the bundle has two practical problems: (1) the SKILL.md requires a Pinterest OAuth token (PINTEREST_ADS_ACCESS_TOKEN or a credentials file) but the skill metadata does not declare that requirement, and (2) it tells you to install a global npm package without providing a trusted source URL or homepage. Before installing or running it: verify the npm package name and publisher on npmjs.com (or prefer installing locally rather than -g), restrict the OAuth token scopes to the minimum needed, store tokens in a secure location, and consider running the CLI manually to confirm outputs. If you plan to let an autonomous agent use this skill, require the author to update the metadata to declare the env var and provide a verified install URL or repository so you can audit the package; the current omissions are sloppy and increase risk but don't by themselves indicate malicious intent.Like a lobster shell, security has layers — review code before you run it.
latestvk977gebmv0ym90gc924tjx63hx84djj9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.