Back to skill

Security audit

Facebook Ad Tracker & Monitor

Security checks across malware telemetry and agentic risk

Overview

This skill coherently connects an agent to PipiAds monitoring tools, with disclosed account/API-key use and no evidence of hidden or destructive behavior.

Install this only if you intend to use PipiAds for Facebook advertiser monitoring and are comfortable giving the MCP server your PIPIADS_API_KEY. Before asking an agent to create tasks, change groups, or save notifications, confirm the advertiser, scope, and expected credit usage because those actions can affect your PipiAds account and ongoing alerts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly exposes state-changing operations such as creating monitor tasks, assigning groups, and saving notifications, but it does not warn that these actions modify the user's external PipiAds account and may initiate ongoing monitoring or alerts. This can lead an agent to perform persistent, billable, or noisy actions without clear user consent, especially because the workflow encourages task creation as a normal next step.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.