ClawHub

Ad Spy Pipeline

Security checks across malware telemetry and agentic risk

Overview

The skill’s advertising workflow is coherent, but it needs review because it promotes unattended scraping, AI processing, and Facebook ad-account changes using credentials and a referenced script that is not included for review.

Review before installing. Ask for the full storm_pipeline_agent.py source and verify it before running it with real API keys. Use least-privilege tokens, a test or low-risk ad account first, clear limits on campaign creation, logging, and manual approval before enabling any daily cron schedule. Also confirm rights and platform terms before scraping and sending competitor creatives to an external AI provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly describes downloading competitor ad creatives and sending those third-party assets to an external AI service for adaptation, but it does not warn users about the privacy, copyright, terms-of-service, and data-transfer implications. This omission is dangerous because operators may enable automated scraping and onward transmission of third-party content without informed consent, legal review, or controls over what is being shared.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill automates creation of Facebook ad campaigns via API, yet the description does not prominently warn that this can make account-level changes in a production advertising environment. Even though ads are created in PAUSED mode, automated campaign creation can still cause policy violations, clutter, unintended spend if later activated, or operational mistakes if users do not understand the automation's reach.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal