v1.0.0

ad2

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:56 AM.

Analysis

This ads-management skill is not clearly malicious, but it pushes the agent to use ad/account tools, stored API tokens, approval actions, and persistent memory automatically with little confirmation or scoping.

GuidanceReview this skill carefully before installing. It appears designed for an ads operations workflow, but you should only use it if you are comfortable with automatic tool calls, stored API-token use, proposal approval/rejection actions, and saved competitor memory. Prefer read-only credentials, require confirmation for budget or posting changes, and check where saved memory can be viewed or deleted.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityMediumConfidenceHighStatusConcern

SKILL.md

ALWAYS load this skill for any ads-related task... mandatory tool execution order and enforces zero-question policy... call the tool IMMEDIATELY... No preamble. No questions.

This instruction forces immediate tool use across broad ads-related triggers and suppresses normal clarification or consent checks.

User impactThe agent may act before confirming what the user wants, which is risky for account, budget, posting, or campaign-management tasks.

RecommendationRequire clarification or explicit confirmation before sensitive actions, and narrow automatic tool-calling to low-impact read-only lookups.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

`/pheduyet <id>` | `ads_manager_execute_action(proposalId:"<id>", status:"approved")` ... `http_request` → params: `{ url, method?, headers?, body? }` ... `Call them without hesitation.`

The skill encourages immediate execution of approval actions and also exposes a generic HTTP request capability without stated method, domain, or approval limits.

User impactA mistaken command or broad interpretation could approve/reject ad-management proposals or make arbitrary web requests without an extra safety check.

RecommendationAdd explicit user confirmation for mutation actions, define reversible workflows, and restrict generic HTTP requests to known ads-related domains and safe methods.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

SKILL.md

The system reads `APIFY_TOKEN` automatically... The same applies to: `SERPER_API_KEY`... `META_ACCESS_TOKEN`... These tools handle auth internally. **Zero user input required.**

The skill relies on stored provider/account credentials, but the supplied metadata declares no required environment variables, credential, or scope boundaries.

User impactThe agent may use API keys or a Meta access token automatically, and the user is not given clear information about what account access or scopes are being used.

RecommendationDeclare all credentials in metadata, document token scopes and account boundaries, and use least-privilege/read-only tokens where possible.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

Step 3: ads_manager_save_competitor(name, angle, note, sourceUrl) → ALWAYS save findings to memory

The skill explicitly persists competitor-research results for later use, which is purpose-aligned but lacks retention, review, or trust-boundary guidance.

User impactIncorrect, stale, or manipulated competitor data could be reused in future recommendations.

RecommendationLabel saved memory with source and timestamp, allow review/deletion, and avoid treating stored competitor notes as authoritative without rechecking.