ClawHub

Meta Ads Analysis

Security checks across malware telemetry and agentic risk

Overview

This is a read-only Meta Ads analysis skill whose requested credentials fit its purpose, with minor cautions about broad trigger wording and credential handling clarity.

Install only if you intend to let the agent read Meta Ads account data. Use a least-privilege ads_read token, confirm the exact ad account and date range before analysis, avoid relying on the generic trigger phrases unless you mean Meta Ads, and revoke or rotate the token when you no longer need the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger phrases include very generic terms such as "analyze," "deep dive," and "diagnose," which are common in ordinary conversation and can cause the skill to activate when the user did not explicitly intend Meta Ads analysis. Because this skill requests access to advertising account data and may initiate API-driven workflows, unintended invocation can expose account context or prompt for sensitive credentials in the wrong conversational context.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The skill requires a Meta access token and ad account ID and instructs the agent to use them for Marketing API calls, but it does not clearly disclose the privacy and data-access implications to the user before requesting or using those credentials. In practice, this can lead users to provide sensitive account access without understanding what campaign data will be read, how long it will persist in session context, or what safeguards apply.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal