ClawHub

Ad Context Protocol (AdCP) Advertising

Security checks across malware telemetry and agentic risk

Overview

This advertising skill is coherent but should be reviewed because it encourages agent-driven campaign launches and budget changes that can affect real ad spend without strong approval guardrails.

Install only if you are comfortable with an agent helping operate advertising workflows. Before connecting production AdCP credentials, require explicit human approval for campaign creation, budget changes, launch/resume actions, creative uploads, and targeting changes; set spend limits and use test endpoints first. Do not reuse the public test token for production, and avoid sending sensitive audience, customer, or regulated-category targeting data unless your legal and platform-policy requirements are satisfied.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The example says optimization should occur only after approval, but then hardcodes `const shouldOptimize = true` and immediately performs `updateMediaBuy`, which can normalize unsafe autonomous spend changes. In an advertising automation skill, this can cause unintended budget reallocation and financial impact if users copy the example into production without adding an approval gate.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The document exposes a real-looking shared authentication token for a reachable test agent in plain text. Even if intended for testing, publishing reusable credentials enables unauthorized access, abuse of the test environment, quota consumption, and normalization of unsafe secret-handling practices for downstream users.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The quick reference document publishes a bearer token directly in the skill content, which constitutes credential disclosure. Even if described as a testing token, it can be copied and used by anyone with access to the file, enabling unauthorized use of the AdCP test agent and potentially abuse of linked services, quotas, or data.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill documentation exposes a reusable authentication token for a remotely accessible test agent. Even if intended for testing, publishing bearer-style credentials in a skill makes unauthorized use trivial, can enable abuse of the shared service, and trains downstream agents/users to handle secrets insecurely.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The examples encourage users to call remote AdCP services for product discovery, campaign creation, delivery monitoring, and creative upload without clearly warning that campaign details, targeting criteria, creative asset URLs, and tracking data are transmitted to external systems. In this skill context, network transmission is expected, but the absence of disclosure and safety guidance increases the risk of accidental sharing of sensitive business or customer-targeting information.

Missing User Warnings

High
Confidence
99% confidence
Finding
The markdown presents a live-looking authentication token directly in an example without any warning about credential sensitivity. In a skill focused on advertising automation, users are likely to copy-paste examples into working integrations, which increases the chance of credential reuse, leakage into logs/repos, and unauthorized access to connected services.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation includes a live authentication token without any prominent warning that it is sensitive credential material, increasing the likelihood that users will treat it as safe to reuse or redistribute. In a skill designed for automated advertising actions, exposing even test credentials is risky because agents may automatically consume them to perform authenticated operations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README encourages switching to production and launching campaigns with real budgets, but it does not clearly warn that these actions can trigger actual ad spend and financially irreversible commitments. In an agent-driven workflow, that omission increases the risk that a user or downstream system treats production actions as routine conversational commands without adequate confirmation or spend controls.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This skill is designed to create and manage advertising campaigns, including budgeted media buys, but the introductory capability framing lacks strong warnings that actions can trigger real spend and external business effects. In an agent context, natural-language automation without explicit confirmation boundaries increases the chance of unintended purchases, campaign launches, or budget changes.

Missing User Warnings

High
Confidence
95% confidence
Finding
The quick-start states that a campaign 'goes live instantly,' which normalizes immediate execution of spend-affecting actions without emphasizing approvals, costs, or irreversible external effects. In an LLM-driven workflow, this can cause users or connected agents to treat campaign launch as a low-risk action and accidentally initiate real advertising spend.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The examples demonstrate reallocating budget and updating campaigns as simple conversational actions, but they do not warn that these operations alter live spend allocation and business outcomes. This lowers operator caution and can lead to unintended financial changes when an agent executes natural-language requests directly.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide explicitly recommends retargeting website visitors using a pixel and lookback windows, but it provides no warning about consent, privacy disclosures, or applicable legal/policy requirements. In an advertising automation skill, this omission can lead users to deploy tracking-based audience targeting in ways that violate privacy laws, platform policies, or user expectations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document promotes demographic, income, life-event, interest, purchase-intent, and household-based targeting without any caution about fairness, anti-discrimination rules, or restricted-category advertising policies. Because this skill is specifically designed to automate ad campaign setup, the lack of guardrails makes misuse more likely and can enable discriminatory or non-compliant audience selection at scale.

Ssd 3

Medium
Confidence
97% confidence
Finding
Including a real-looking shared auth token in public-facing documentation encourages disclosure and reuse of sensitive credentials as normal practice. Because this skill automates advertising and media-buying workflows, unauthorized use could trigger actions against external systems, consume shared resources, or facilitate pivoting into broader integrations if the token is valid or over-scoped.

Ssd 3

Medium
Confidence
99% confidence
Finding
A publicly exposed authentication token in usage instructions can be copied by anyone and used to access the test agent outside intended controls. Even if the environment is non-production, this creates unauthorized access risk, service abuse, quota exhaustion, and possible pivoting if the test agent has broader capabilities or shared trust assumptions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal