Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
adserFB5
v1.0.0Systematic competitor research and intelligence gathering skill. Covers how to find competitor fanpages, analyze their ad strategies, extract key insights, a...
⭐ 0· 66·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (competitor ad intelligence) matches the steps in SKILL.md, but those steps rely on external services (serper_search, meta_ad_library, apify_facebook_ads, ads_manager_*) that normally require API access or special connectors. The skill declares no required env vars or credentials, which is disproportionate to the external capabilities it instructs the agent to use.
Instruction Scope
Instructions remain focused on competitor discovery, analysis, and saving results to memory. They do instruct broad live data collection and persistent storage (ads_manager_save_competitor, ads_manager_brief). No instructions ask to read unrelated local files, but they do assume the ability to query third-party services and to persist competitive data — both of which should be explicit.
Install Mechanism
This is instruction-only with no install spec and no code files, so there is no immediate install-time execution risk. That lowers the surface area, but does not remove the concerns about external API use at runtime.
Credentials
SKILL.md references multiple external integrations (Serper, Meta Ad Library, Apify, ads_manager_*), yet requires no environment variables or credentials. Either the platform provides built-in connectors (not documented here) or the skill omitted declaring necessary API keys/tokens — both possibilities are important to clarify. The skill also directs storing competitor contact data in memory, which may include PII and should be justified and constrained.
Persistence & Privilege
The skill explicitly instructs saving analyses to memory and to check memory before re-scanning. It does not set always:true and does not request system-wide configuration changes. Still, autonomous invocation combined with automatic memory writes increases the blast radius if the skill is allowed to run without supervision — consider limiting autonomy or memory retention for sensitive data.
What to consider before installing
This skill's playbook looks plausible for competitor ad research, but the runtime steps call external scraping/search services while the package declares no API keys, connectors, or installs — that's the main mismatch. Before installing: 1) Ask the skill author to document which connectors it needs and where credentials should be supplied (e.g., SERPER_API_KEY, APIFY_TOKEN, META_ADS_TOKEN) and why. 2) Confirm whether your platform provides built-in connectors for serper/meta/apify; if not, the skill will fail or attempt unauthorized scraping. 3) Ask what exactly gets written to memory, how long it's retained, and who can access it (competitor contact info can be sensitive). 4) Ensure the workflow complies with Meta/Facebook terms of service and local privacy laws if scraping/storing PII. 5) If you proceed, consider running in a sandboxed agent with autonomous invocation disabled or restricted, and review memory and network logs during initial runs. If the author cannot justify the missing credential/connector declarations, treat the skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk973rz210v9sz2w5zgm0aybxkn83bap9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.