Back to skill

Security audit

ad2

Security checks across malware telemetry and agentic risk

Overview

This ads automation skill is not clearly malicious, but it gives an agent broad automatic authority over credential-backed ad, search, memory, and approval workflows with weak user control.

Install only if you want a highly automated ads assistant that may immediately call Meta, Apify, Serper, generic HTTP, and ads-manager tools using existing credentials. Before installing, confirm the connected tokens are least-privilege, review what approval/rejection actions can change, and make sure saved competitor memory can be inspected and deleted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill exposes and encourages use of a generic `http_request` capability alongside other ad-analysis tools without constraining allowed domains, methods, or purposes. In an agent setting, this expands the skill from ad intelligence into arbitrary network access, which can enable unintended data exfiltration, SSRF-like behavior against internal services, or retrieval from untrusted endpoints if triggered by adversarial input.

Intent-Code Divergence

High
Confidence
90% confidence
Finding
The skill says 'never execute directly — always propose first' but elsewhere defines direct approval/rejection execution commands (`/pheduyet`, `/tuchoi`) and mandates immediate tool use. This inconsistency weakens safety guarantees around state-changing actions, making it more likely the agent will bypass review and execute sensitive ad-management operations under ambiguous or adversarial prompts.

Vague Triggers

High
Confidence
93% confidence
Finding
The manifest trigger scope is extremely broad, covering any ads-related task, any boss command, any Facebook URL, and multiple common business topics. This overbroad activation increases the chance the skill will run in unrelated contexts and automatically invoke powerful tools, causing unintended external calls, data access, or workflow hijacking from benign user input.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs the agent to automatically use environment-backed credentials for external services without asking the user or disclosing that authenticated network calls will occur. In an adversarial prompt environment, this can silently spend quota, access sensitive linked accounts, and route data to third-party services without meaningful user awareness or consent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill mandates saving competitor findings to memory every time without informing the user or limiting what is stored. Automatic persistence can retain third-party data, business intelligence, or prompt-injected content beyond the current task, creating privacy, compliance, and cross-session contamination risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.