Meta Ads CAPI Setup

Security checks across malware telemetry and agentic risk

Overview

This is a non-executable Meta Conversions API setup guide with expected privacy and credential-handling cautions, but no hidden code or deceptive behavior.

Before using this guide, confirm you have appropriate consent or another lawful basis to send hashed identifiers, CRM status, and revenue events to Meta. Minimize transmitted fields, honor opt-outs, update privacy disclosures, and store Meta system-user tokens like passwords with least-privilege access.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill directs users to send hashed personal data such as email and phone to Meta, but it does not warn about consent, lawful basis, retention, or jurisdictional privacy obligations. Hashing is not anonymization in this context because Meta can still use the data for matching, so the omission creates real privacy and compliance risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal