Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Google Ads Spy
v1.0.0Scrape and analyze all active Google, Meta, and TikTok ads from competitors, then rebuild winning creatives, copy, and video ads tailored to your brand.
⭐ 0· 27·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to scrape Meta, Google, and TikTok ads and rebuild creatives using Apify, InVideo, and Claude. That purpose plausibly needs API tokens (Apify, InVideo, and an LLM/Claude key) and possibly headless browser capability, but the registry metadata lists no required env vars, binaries, or install steps. This mismatch between claimed capabilities and declared requirements is incoherent and unexplained.
Instruction Scope
SKILL.md instructs the agent to scrape 'all active ads', extract creative assets and landing-page structure, detect URL A/B testing parameters, and send data to external services (Apify, InVideo, Claude). These instructions cover broad web scraping and data exfiltration tasks and rely on external APIs; they do not limit what data will be collected or state where results are stored, nor do they declare access controls or privacy safeguards.
Install Mechanism
There is no install spec and no code files (instruction-only), which minimizes local install risk. However runtime behavior requires calling external services and likely running scrapers; the skill does not document how that runtime will be provisioned or what client-side tooling is needed (e.g., headless browser).
Credentials
The SKILL.md input example explicitly includes 'apify_token' and 'invideo_api_key' (and references Claude AI) but the skill metadata declares no required environment variables or primary credential. Requiring multiple third-party API keys is reasonable for this functionality, but failing to declare them in metadata is an incoherence and a usability/security red flag. It's unclear which credentials the skill will actually ask for at runtime, where they will be sent, or whether the skill will request any additional secrets.
Persistence & Privilege
The skill is not always-enabled and declares no persistent install behavior. Autonomous invocation is allowed (platform default). There is no indication the skill modifies other skills or system settings. Combined with other concerns, lack of declared credentials/persistence is still problematic but not a direct privilege escalation.
What to consider before installing
Before installing or running this skill, ask the developer to clarify and provide: (1) an explicit list of required environment variables / API keys (Apify token, InVideo key, Claude/LLM key, etc.); (2) how and where scraped data and creative assets are transmitted and stored (which endpoints, retention, access controls); (3) whether any local binaries or headless browsers will be launched and how those are provisioned; (4) the legal/terms-of-service implications of scraping the target platforms for your jurisdiction and your intended use; and (5) the skill's provenance (source repo or homepage) and the identity/authority of the owner. Do not supply production or high-privilege credentials until those questions are answered. If you decide to test, use isolated/sandbox credentials and limit the scope (one competitor, short run) and verify that results are only sent to the services you control.Like a lobster shell, security has layers — review code before you run it.
latestvk97e4yk65c9m3bpsewvd41hmbn846p9d
License
MIT-0
Free to use, modify, and redistribute. No attribution required.