Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
google-meta-ads
v1.0.0Scrape and analyze active Google, Meta, and TikTok ads from competitors to extract winning creatives, copy, spend signals, and recreate them for your campaigns.
⭐ 0· 31·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The declared purpose (scrape competitor ads and rebuild creatives) coheres with the described workflow, but the SKILL.md explicitly references Apify, InVideo, and Claude and shows input fields for apify_token and invideo_api_key while the skill metadata lists no required environment variables or primary credential. That omission is inconsistent: a scraping/automation skill legitimately needs API keys for those services.
Instruction Scope
Instructions tell the agent to scrape public ad libraries, crawl landing pages (including URL parameters), extract creatives and copy, and send assets to InVideo and Claude for rewriting/production. The workflow is broad (network I/O, web crawling, asset transfer to external services) but the SKILL.md doesn't specify how credentials are obtained or stored, nor does it constrain data collection (landing pages may contain tracking parameters or PII). The instructions are operationally detailed but leave out important access/consent and credential-handling steps.
Install Mechanism
No install spec and no code files are present, so nothing is written to disk by the skill itself. Instruction-only format reduces install-time risk. However, the SKILL.md includes affiliate links and expects the agent to call external hosted APIs (Apify/InVideo/Claude), which is an operational risk rather than an install risk.
Credentials
The sample input in SKILL.md includes 'apify_token' and 'invideo_api_key' (and mentions Claude AI) but the skill metadata declares no required env vars or primary credential. Requiring multiple third‑party API keys is proportionate to the task, but omitting them from the declared requirements is an incoherence that could hide how/where secrets are requested, stored, or transmitted. Also, the skill may collect landing‑page data and URL params that could contain sensitive information.
Persistence & Privilege
The skill does not request always:true and has no install or code that persists on disk. It does not ask to modify other skills or system settings. Autonomous invocation is default for skills but is not combined here with persistent privileges.
What to consider before installing
Do not install or run this skill without clarification. Ask the author to: (1) explicitly list required environment variables (Apify token, InVideo API key, and the Claude/Anthropic key if used) in the registry metadata; (2) describe exactly how those secrets are provided, stored, and protected; (3) provide origin/source or homepage and author verification (currently unknown); and (4) document compliance with platforms' terms of service and privacy/robot rules for scraping and crawling landing pages. If you still want to test it, supply API keys in a throwaway/sandbox account, review network endpoints it calls, and confirm you have legal permission to scrape and reuse competitor creatives.Like a lobster shell, security has layers — review code before you run it.
latestvk97enxrm2f2ngpgejm27w5v8ah83zvpp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.