Security audit

Facebook Ad Library Tracker & Monitor

Security checks across malware telemetry and agentic risk

Overview

This is a coherent PPSPY Facebook ad monitoring skill, with normal caution needed because it installs a third-party MCP server and uses a PPSPY API key.

Before installing, make sure you trust PPSPY and the ppspy-mcp-server npm package. Use a PPSPY API key whose billing/quota you are comfortable with, and remember that the server can spend monitoring quota and modify monitoring groups or tasks in your PPSPY account.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill requires a PPSPY API key and is configured to pass that credential to an external MCP server/service, but the user-facing description and setup text do not clearly warn that the key will be transmitted to a third-party provider. This is a real transparency and secret-handling issue because users may supply credentials without understanding the external trust boundary, billing implications, or data-sharing risks.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.