ClawHub
Back to skill

Security audit

lanbow-claw-skill

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Meta ads automation skill, but it asks for powerful advertising credentials and can change paid campaigns, so it should be reviewed carefully before installation.

Install only if you trust the lanbow-ads CLI and are comfortable granting Meta ad-management access. Use platform secret fields or environment variables instead of pasting tokens, app secrets, Gemini keys, or long-lived system-user tokens into chat; use a test ad account with a low budget; grant the narrowest scopes possible; and manually approve any campaign activation, budget change, targeting change, media upload, or credential storage step.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (13)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The reference explicitly documents setting and retrieving `--app-secret` and listing all configuration values, which can normalize insecure secret handling and increase the chance that credentials are stored in plaintext or exposed through routine CLI usage, terminal history, logs, or screenshots. In an ad-delivery orchestration skill, these credentials grant access to Meta advertising assets and accounts, so disclosure could enable unauthorized campaign changes, spend, or account takeover workflows.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs users to handle highly sensitive credentials and even suggests asking the user for an access token, app ID, and ad account ID, while lacking a strong, explicit warning against pasting secrets into chat or command histories. In an agent setting, this increases the chance of credential disclosure through conversation logs, shell history, telemetry, or verbose output, which could enable unauthorized access to the user's advertising account.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrases include broad generic terms like "creatives" and "ad image," which can cause the skill to activate in situations the user did not intend. In a skill that can invoke Bash and send user content to external APIs, accidental invocation increases the chance of unintended data transmission and file creation.

Missing User Warnings

High
Confidence
99% confidence
Finding
The description says the skill uses Google Gemini APIs and requires an API key, but it does not clearly warn that product descriptions, audience data, requirements, CTA text, and optional product images will be transmitted to an external third party. This can expose sensitive commercial data or proprietary product assets without informed user consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow writes proposals and generated images to local files, but the instructions do not clearly warn users that artifacts will be saved into the workspace. This can create unintended persistence of sensitive marketing materials, product imagery, or API-derived outputs on shared or monitored systems.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The guide explicitly tells the user to copy an access token and send it to the agent, which exposes a live credential through chat/session history and any logging or retention layers around the platform. Although it suggests environment variables earlier, the inline instruction normalizes sharing a sensitive bearer token directly with the agent, increasing the chance of credential leakage or misuse.

Missing User Warnings

High
Confidence
99% confidence
Finding
The guide instructs the user to reveal and provide the App Secret, a highly sensitive long-lived secret that can enable token exchange and broader app compromise if exposed. Sharing an app secret through chat is especially dangerous because it may be retained in transcripts, logs, analytics systems, or visible to operators beyond the immediate session.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The template instructs the agent to extract content from user-provided website/PDF materials and persist intermediate artifacts to disk, but provides no user-facing disclosure, consent step, or storage-boundary constraints. In an agent environment, this can cause unexpected retention of uploaded or fetched sensitive content on the local filesystem, increasing the risk of data exposure, cross-task leakage, or accidental reuse beyond the user's intent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill mandates writing many chapter files and a manifest to disk automatically, but does not warn the user that filesystem modifications will occur or restrict the output location beyond relative paths. In a multi-tool agent setting, silent file creation can overwrite prior work, create unintended artifacts, or enable broader data handling than the user reasonably expects.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list contains very broad phrases such as "Meta ads," "marketing report," and "market research," which can cause the skill to activate in contexts beyond its intended scope. In an orchestrated agent environment, ambiguous invocation increases the chance of unintended tool use, unnecessary web research, and execution of downstream workflow steps for user requests that did not clearly authorize this skill.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs the agent to create multiple files under the workspace (`output/chapters/` and `chapters_index.json`) without an upfront warning or consent boundary around filesystem writes. This is dangerous because users may invoke what appears to be a research/reporting skill without realizing it will persist artifacts, potentially overwriting files, creating unexpected outputs, or exposing internal workflow data in shared workspaces.

External Transmission

Medium
Category
Data Exfiltration
Content
**Text-only (no product image):**

```bash
curl -s "https://generativelanguage.googleapis.com/v1beta/models/gemini-2.5-flash:generateContent" \
  -H "x-goog-api-key: ${GEMINI_API_KEY}" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
98% confidence
Finding
curl -s "https://generativelanguage.googleapis.com/v1beta/models/gemini-2.5-flash:generateContent" \ -H "x-goog-api-key: ${GEMINI_API_KEY}" \ -H "Content-Type: application/json" \ -d '{ "con

External Transmission

Medium
Category
Data Exfiltration
Content
**Without product image:**
```bash
curl -s "https://generativelanguage.googleapis.com/v1beta/models/gemini-3.1-flash-image-preview:generateContent" \
  -H "x-goog-api-key: ${GEMINI_API_KEY}" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
98% confidence
Finding
curl -s "https://generativelanguage.googleapis.com/v1beta/models/gemini-3.1-flash-image-preview:generateContent" \ -H "x-goog-api-key: ${GEMINI_API_KEY}" \ -H "Content-Type: application/json" \

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal