ClawHub

Ad-Ready Pro

Security checks across malware telemetry and agentic risk

Overview

This skill performs the advertised ad-generation workflow, but users should understand that product URLs and image assets are fetched, stored temporarily, and sent to ComfyDeploy.

Install only if you are comfortable sending product URLs, product images, logos, reference ads, and optional model/talent images to ComfyDeploy. Use a dedicated or scoped ComfyDeploy API key when possible, avoid private or unreleased assets unless third-party processing is acceptable, and clean up /tmp/ad-ready if auto-fetch is used.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs the agent to use environment variables, write files under /tmp, and perform network access, yet no explicit permissions model is declared. This creates a capability/consent gap where the agent may fetch remote content, store artifacts locally, and use sensitive credentials without clear user awareness or sandboxing expectations.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The workflow frames activation broadly whenever a user asks to generate an ad, then directs the agent to search, fetch, and prepare multiple external assets automatically. Overbroad triggering increases the chance the skill runs in situations where the user did not intend web searches, third-party downloads, or external uploads, causing unnecessary data exposure and unintended actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The auto-fetch instructions explicitly download product images and brand logos, then upload them to ComfyDeploy, but there is no clear warning to the user that third-party content and potentially user-supplied URLs will be transmitted off-platform. In this skill context, external transmission is core functionality, which makes the omission more dangerous because it is likely to happen routinely and at scale.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The skill documents use of COMFY_DEPLOY_API_KEY but does not warn about secure handling of credentials, least-privilege storage, or avoiding disclosure in logs and shell history. While this is standard operational guidance, omission can still lead to accidental credential leakage during execution or troubleshooting.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
When --auto-fetch is enabled, the script retrieves remote content from arbitrary product URLs and logo sources, then writes those assets to a fixed /tmp/ad-ready location. This creates privacy and safety concerns because user-supplied URLs can cause unexpected third-party requests and local persistence of downloaded content without clear consent, and predictable temp paths may expose sensitive assets to other local users or later processes on shared systems.

External Transmission

Medium
Category
Data Exfiltration
Content
## API Details

**Endpoint:** `https://api.comfydeploy.com/api/run/deployment/queue`
**Deployment ID:** `e37318e6-ef21-4aab-bc90-8fb29624cd15`

## ComfyDeploy Input Variables
Confidence
94% confidence
Finding
https://api.comfydeploy.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal