ClawHub

Apple Search Ads

Security checks across malware telemetry and agentic risk

Overview

This Apple Search Ads skill is coherent and not malicious, but it needs Review because it can guide real ad-account changes and handles credentials, persistent business data, and attribution data without enough guardrails.

Install only if you are comfortable letting an agent help manage a real Apple Search Ads account. Use least-privilege Apple credentials, keep private keys in a protected file or secret manager, avoid storing secrets in shell startup files or logs, require explicit approval before campaign or keyword mutations, review and clear ~/apple-search-ads/memory.md as needed, and do not enable IDFA or log attribution payloads unless your app has the required consent and privacy controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill metadata says the environment should provide ASA_PRIVATE_KEY_FILE, but the script actually expects ASA_PRIVATE_KEY containing the raw PEM key. That mismatch can cause operators to place the private key directly into an environment variable or modify the runner unsafely, increasing secret exposure in process listings, logs, crash dumps, and shell history. In a skill that handles OAuth signing keys, this inconsistency is security-relevant rather than cosmetic.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The Adjust example explicitly enables `allowIdfaReading = true`, which expands data collection beyond Apple Search Ads attribution and is not necessary for the documented purpose of ASA integration. In a marketing attribution skill, this can lead developers to collect device identifiers they did not intend to use, increasing privacy, compliance, and platform-policy risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide instructs sending campaign and attribution data to analytics/backends and storing campaign IDs locally, but provides no warning about privacy disclosures, data minimization, retention, or user notice. This omission can cause implementers to operationalize tracking flows that may violate internal privacy standards or legal/app-store disclosure requirements.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Saying AdServices works without ATT is technically accurate, but without adjacent privacy guidance it may be interpreted as permission to collect attribution data with no user-facing disclosure obligations. In this context, the danger is not code execution but misleading implementers into privacy-invasive or non-compliant data collection practices.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The debugging example prints part of the attribution token and the full attribution response to logs, which may expose sensitive marketing and attribution data in device logs, crash reports, CI output, or shared debugging tools. Even partial tokens and campaign metadata can create unnecessary privacy exposure and make secrets or identifiers easier to harvest in non-production environments.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The template instructs users to load a private PEM key directly into an environment variable via shell startup files. While common, this increases exposure risk because environment variables can leak through process inspection, debugging output, crash reports, shell history mishandling, or child process inheritance; the file also lacks any warning or safer alternative guidance.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly states that app identifiers, campaign structure, performance indicators, and reporting preferences will be saved in a local memory file, but it does not instruct the agent to obtain user consent or warn that this information will persist across sessions. Even though the data is business/advertising data rather than highly sensitive credentials, persistent storage can expose confidential marketing strategy and performance information to later sessions, other local users, or unintended tooling access.

Session Persistence

Medium
Category
Rogue Agent
Content
## Setting Environment Variables

```bash
# Add to ~/.zshrc or ~/.bashrc
export ASA_CLIENT_ID="your-client-id"
export ASA_TEAM_ID="your-team-id"
export ASA_KEY_ID="your-key-id"
Confidence
88% confidence
Finding
Add to ~/.zshrc

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal