ClawHub

adserFB3

Security checks across malware telemetry and agentic risk

Overview

This ad-management skill is not malicious, but it gives a chat assistant broad automatic authority over sensitive advertising workflows without enough boundaries.

Install only in a controlled ad-management setup with verified boss identity, safe mode kept on by default, tightly scoped Meta credentials, and separate review of every referenced tool. Require explicit confirmation for approvals, publishing, live Meta writes, and saved instructions, and do not paste access tokens into chat.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill explicitly instructs the agent to tell the user to set sensitive configuration fields such as access tokens and account identifiers in chat-facing guidance. Even if shown as placeholders, this normalizes secret solicitation and can cause operators to paste live credentials into unsafe channels, expanding the risk of credential disclosure and unauthorized Meta ad account writes.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The skill says campaign changes should never execute directly, but elsewhere maps approval/rejection commands to an execution tool immediately. This inconsistency can lead the agent to take state-changing actions without a consistent approval boundary, increasing the chance of unauthorized or accidental operational changes.

Vague Triggers

High
Confidence
93% confidence
Finding
Requiring the skill to trigger for every message from the boss is overly broad and creates a standing authority channel for tool use regardless of message content. In a high-privilege business context, broad activation increases the chance that casual, ambiguous, or injected messages result in unintended data access or operational actions.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The intent mapping ties common phrases like 'Hôm nay làm gì?' or 'Sao hôm nay ế?' directly to tool calls without strong contextual constraints. This makes ordinary conversation sufficient to trigger data retrieval or proposal creation, which is risky in a privileged assistant that can access reports, competitors, and campaign workflows.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The automatic morning brief performs proactive tool calls on the first message of the day without a user-facing notice or opt-in for data retrieval. In a boss-facing context, this can expose performance and alert data based on minimal interaction and may surprise users who did not intend to initiate reporting.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill tells the agent to reveal internal configuration structure and credential placeholders, including access token and ad account fields, in natural-language responses. Exposing secret schema and prompting for those values in chat encourages unsafe secret handling and gives attackers useful information about backend integration points and privileged controls.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal