ClawHub

FB Ads Copywriter Pro

Security checks across malware telemetry and agentic risk

Overview

This marketing copy skill is mostly purpose-aligned, but it embeds a default GLM API key and can send business/questionnaire content to external services without strong user-facing consent controls.

Review before installing. Use your own GLM_API_KEY and do not rely on the embedded fallback key; the publisher should remove and rotate it. Avoid putting confidential client or customer data into questionnaires unless you are comfortable sending it to the GLM provider, and only enable Resend or Telegram after confirming recipients and client consent. Prefer a version with pinned dependencies and clearer privacy/data-flow notices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises file, environment, and network-capable behavior but does not declare any permissions, which weakens user visibility and platform enforcement. In this context, the skill reads questionnaires, writes delivery files, accesses API keys, and can contact external services, so the missing permission declaration materially increases the chance of unnoticed data access or exfiltration.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented purpose is ad-copy generation, but the skill also performs external LLM calls, writes delivery artifacts, and sends outputs through email and Telegram. This mismatch prevents informed consent and can cause users to expose client content, contact details, or business data to third parties under a narrower expectation of local text generation.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill is described as generating Facebook ad copy, but the documentation also includes a full email-sending workflow via Resend. That adds a data exfiltration and unsolicited outbound communication channel not justified by the stated purpose, increasing the risk that generated content, user inputs, or client data could be sent externally without clear user intent.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Telegram message delivery is unrelated to the core copywriting function and introduces an additional external communications path. In agent skills, undocumented messaging channels are risky because they can be abused to leak outputs, prompts, or operational data to third-party destinations without an obvious business need.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill description presents this as a copy-generation tool, but the code also includes outbound delivery and notification capabilities. Hidden or under-disclosed external actions increase risk because users may provide business data expecting local content generation, while the skill can also contact third-party services and recipients.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code reads email and Telegram credentials and is capable of sending outbound notifications unrelated to the narrowly stated copywriting purpose. In an agent-skill context, undeclared communication channels materially expand the trust boundary and can expose generated content or customer metadata externally.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README advertises email and Telegram delivery features and asks users to configure external-service credentials, but it does not clearly disclose that generated ad copy, questionnaire-derived content, and recipient identifiers may be transmitted to third-party services. This creates a real privacy and data-handling risk because operators may unknowingly send customer data or marketing materials outside the local environment without informed consent or proper review.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill describes email and Telegram delivery features without warning that generated content and possibly client identifiers will be sent to third-party services. For a marketing workflow, this can include customer questionnaires, product plans, and campaign materials, creating privacy, confidentiality, and compliance risk if users are not clearly informed.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The usage example normalizes sending generated output to client email and Telegram with no visible consent, warning, or redaction step. Because the workflow references saved questionnaire data and delivery files, users may unintentionally forward sensitive business or personal data to third-party platforms.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The suggestions encourage adding broad trigger terms like "create, build, skill, when, use" without defining boundaries or requiring clear user intent. In an agent skill system, overly generic triggers can cause unintended activation, prompt collisions, or routing of unrelated requests into this skill, which can degrade safety and reliability.

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
The recommendation to add fixed triggers for specific languages ("中文", "English") can bias routing based on language alone rather than user consent or task relevance. This may cause the skill to activate for any bilingual or multilingual request, increasing misrouting risk and creating unwanted behavior for users who did not opt into this skill.

Missing User Warnings

High
Confidence
100% confidence
Finding
A hardcoded default API key is embedded directly in the source code. This is dangerous because anyone with code access can reuse the credential, incur charges, abuse the provider account, or pivot into related systems if the key is broadly scoped.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Questionnaire content is sent to an external LLM API without any explicit user warning or consent mechanism. Because questionnaires may contain customer, business, or marketing-sensitive data, silent third-party transmission increases confidentiality and compliance risk.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
python-dotenv>=0.19.0
Confidence
96% confidence
Finding
requests>=2.28.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
python-dotenv>=0.19.0
Confidence
96% confidence
Finding
python-dotenv>=0.19.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
99% confidence
Finding
requests

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal