ClawHub

Hopkin – Paid Ads: Meta, TikTok, Google, LinkedIn, Reddit

Security checks across malware telemetry and agentic risk

Overview

This is a coherent read-only ads reporting skill, but it requires trusting an external Hopkin CLI and providing a Hopkin API key to access ad account data.

This skill appears purpose-aligned and read-only. Before installing, verify that you trust the Hopkin CLI/npm package, understand what ad accounts your Hopkin API key can access, and are comfortable with Hopkin or its MCP servers caching queried advertising data.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

Using the skill means trusting the npm-distributed Hopkin CLI and any future updates installed from npm.

Why it was flagged

The skill relies on installing and updating an external global npm package that is not included in the submitted artifacts.

Skill content
npm install -g @hopkin/cli ... npm install -g @hopkin/cli@latest
Recommendation

Install only if you trust the Hopkin CLI package source; consider pinning a known version and reviewing updates before installing them.

#
ASI03: Identity and Privilege Abuse
Medium
What this means

Anyone using the configured CLI may be able to query the ad account data available through that API key.

Why it was flagged

The skill requires a Hopkin API key that can enable access to connected advertising accounts and reporting data.

Skill content
If not authenticated, ask the user for their API key: hopkin auth set-key <API_KEY>
Recommendation

Use a least-privilege Hopkin API key if available, rotate it if exposed, and confirm which ad accounts the key can access.

#
ASI06: Memory and Context Poisoning
Low
What this means

Sensitive advertising metrics or account information may persist in provider-side cache outside the immediate chat session.

Why it was flagged

The instructions disclose that queried ad platform data may be cached by MCP servers, but they do not describe retention or cache scope.

Skill content
Caching: The MCP servers cache data. Pass --refresh to a command if the user needs real-time data.
Recommendation

Review Hopkin's data handling and retention policy, and avoid broad queries such as fetching all pages unless needed.