ClawHub

Ads Analyzer

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned for analyzing Meta ads and packaging a report, but users should review where reports and asset bundles are sent.

Install only if you are comfortable with the skill processing ad creatives, landing-page screenshots, and reports locally and potentially sending the finished bundle through Telegram. Before use, confirm the Telegram destination, avoid confidential campaign material unless intended, and ensure generated HTML reports escape untrusted ad or landing-page text.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs the agent to zip all extracted assets and send them via Telegram, which creates an external data exfiltration path for potentially sensitive ad creatives, landing page screenshots, and campaign intelligence. Because the workflow operates on locally collected assets and does not mention consent checks, classification, or redaction, it can cause unintended disclosure to a third-party messaging platform.

Ssd 3

Medium
Confidence
94% confidence
Finding
This instruction directs transmission of the generated report and bundled media assets to a third-party channel in plain language, with no security controls or trust boundary acknowledgment. In context, the bundle may include proprietary marketing assets and screenshots that reveal business strategy or customer-facing flows, so external transfer materially increases confidentiality risk.

VirusTotal

41/41 vendors flagged this skill as clean.

View on VirusTotal