ClawHub

Siluzan TSO

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a legitimate advertising-operations tool, but it has broad install-time persistence and under-guarded access to live ad accounts, spend controls, credentials, and lead data.

Install only if you trust Siluzan TSO with live advertising accounts, billing workflows, credentials, and lead data. Prefer manual installation over the one-click scripts, review any global npm registry change, avoid all-assistant global registration unless you want it, and require explicit approvals before any budget, bid, pause, delete, permission, invoice, transfer, or raw lead export action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (36)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The document instructs the agent to proactively introduce hosted automation capabilities whenever the skill is loaded, even if the user only asked about a narrow account operation. This expands the scope of interaction beyond explicit user intent and can steer users toward higher-risk automated actions such as auto-pausing campaigns, budget controls, or webhook-based monitoring without a clear opt-in boundary.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The template loads executable JavaScript directly from a remote CDN, which creates a supply-chain trust boundary outside the skill repository. If that CDN asset is compromised, replaced, or blocked, the rendered report can execute attacker-controlled code in the context of the report page, potentially exposing report data or manipulating output.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The installer expands its scope beyond the advertised CLI by downloading and silently installing Git for Windows from a vendor-controlled URL as a fallback for agent shells. That introduces additional software, widens the trust boundary, and creates supply-chain risk because users running the installer may not expect or meaningfully consent to a secondary executable install unrelated to core CLI function.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
After installing the package, the script force-registers the skill globally across many AI assistant directories using `init --global --force`, affecting tools well beyond the stated product. This creates cross-application persistence and configuration modification without granular consent, which is especially risky in an agent-skill context because it can silently influence multiple assistants and user environments.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The installer invokes `siluzan-tso init --global --force` and then advertises registration into many AI assistant global skill directories, which exceeds a narrow package install and creates broad persistence across unrelated tools. In the context of an advertising-account skill, silently planting integrations into multiple agent environments increases attack surface and can enable unexpected execution or discovery by other assistants.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script changes the user's global npm registry to `https://registry.npmmirror.com`, altering future package resolution for the whole user environment rather than just this install. This is risky because it persists beyond the skill setup, can redirect trust to a third-party mirror, and is not justified by the advertised ad-account functionality.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The installer auto-installs or upgrades Node.js by fetching remote setup scripts and executing them in the shell, including privileged paths on Linux. Piping network content directly into `bash`, especially with `sudo`, gives remote code immediate execution and makes supply-chain compromise or MITM-style failures highly damaging.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger conditions are extremely broad, covering common business terms like accounts, balance, reports, diagnostics, invoicing, and TSO. In a skill with Bash and Write access and many account-management/write workflows, overbroad activation increases the chance of accidental invocation in unrelated conversations, which can lead to unintended data access or sensitive operations being proposed or initiated.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
The instruction tells the agent to withhold disclosure of an available Admin role unless the user explicitly asks, which biases the agent away from transparent presentation of privilege options. In an account-access management skill, hiding higher-privilege options can manipulate consent, obscure security-relevant choices, and lead users to make authorization decisions without informed understanding of available access levels.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide explicitly states that when `--website` is provided, `collect` may send data to an external Agent gateway (`SILUZAN_AGENT_BASE` / `agent.mysiluzan.com`) and instructs the agent to write local report artifacts such as `market-report.json` and rendered HTML, but it does not require an explicit user-facing consent or warning step. In an agent skill context, this is risky because users may provide internal URLs, sensitive customer websites, or proprietary market inputs without realizing they will be transmitted off-host and persisted to disk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide tells users to place long-lived API keys and JWTs in environment variables for CI/CD and automation, but it does not warn that these values can be exposed through shell history, process inspection, debug logs, CI job output, crash reports, or inherited subprocess environments. In a skill that manages advertising accounts, billing, OAuth, invoices, and account operations, leaked credentials could enable unauthorized access to sensitive account and financial actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The workflow explicitly instructs the agent to retrieve and even reproduce raw TikTok/Meta lead-form data, including full JSON output, without requiring any privacy notice, purpose limitation, minimization step, or confirmation that the requester is authorized to access personal data. Because ad leads commonly contain names, phone numbers, emails, and other contact details, this creates a real risk of unnecessary exposure or oversharing of sensitive personal information.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill documents multiple destructive commands that can delete campaigns, ad groups, ads, keywords, and extensions, but warnings are not consistently enforced across all such operations. In an agent-driven workflow, a user or automation error could trigger irreversible deletion of live advertising assets, causing service disruption, spend loss, and operational damage.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide instructs operators to export account, ad group, and campaign data locally into ./snap without any warning about the sensitivity of advertising account data, retention, or access controls. In a real workflow this can lead to unnecessary local copies of business-sensitive data being stored on shared workstations, synced folders, or developer machines, increasing risk of leakage or mishandling.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The document recommends enabling enhanced conversions as a best practice but does not mention that the feature may process personal data such as customer identifiers and therefore triggers consent, notice, and jurisdiction-specific compliance obligations. This omission can cause users to enable privacy-impacting tracking without understanding legal and data-protection requirements.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The guide recommends enabling Enhanced Conversions and uploading lead/CRM data, but does not mention consent, lawful basis, minimization, retention, or cross-border/privacy compliance. In a skill that directly instructs operators how to configure ad accounts and data flows, this omission can lead users to transmit hashed customer identifiers or CRM lead data to Google in ways that violate privacy requirements or internal policy.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document explicitly instructs sending hashed first-party personal data such as email, phone, and address to Google, but it frames this mainly as a performance optimization and does not clearly warn about privacy, consent, regional legal requirements, or data-sharing implications at the point of instruction. In an advertising-operations skill, this omission is material because operators may implement the flow directly and expose organizations to privacy noncompliance or unauthorized personal-data transfer.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document instructs operators to capture GCLID and upload hashed email data to Google Ads for Enhanced Conversions, but it does not mention user notice, consent, lawful basis, retention, or cross-border transfer requirements. In an ad-operations skill, these steps are likely to be followed operationally, so omitting privacy safeguards can lead to unauthorized processing of personal data and regulatory/compliance violations.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill explicitly instructs the agent to return complete raw lead JSON, and the documented fields include personal contact data such as name, email, and phone. Echoing full media-sourced lead payloads into responses creates a direct sensitive-data exposure path, especially because there is no requirement to minimize, mask, or confirm authorization before disclosing PII.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The skill instructs users to enumerate WeChat notification accounts and use account-linked entityIds without clearly warning that these identifiers and follow/unfollow status may reveal personal or organizational information. In a shared agent or logging environment, exposing notification targets and subscription state could leak employee identity, communication preferences, or account associations to unauthorized viewers.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This SOP directly instructs an automated state-changing command that pauses live ads, but it does not require an explicit confirmation, dry-run, rollback path, or operator warning before modifying production advertising assets. In the context of ad account operations, an agent following this playbook could unintentionally pause revenue-generating creatives based on flawed data, misconfiguration, or ambiguous user intent, causing real business disruption.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This SOP provides direct, actionable instructions for modifying live campaign budgets and target CPA values, including write commands that can immediately increase spending, but it does not require an explicit user confirmation, change-approval gate, rollback plan, or prominent warning about financial risk. In the context of a hosted automation skill for ad-account operations, this creates a real safety issue because an agent or operator could apply the workflow mechanically and cause unintended spend increases or bidding changes across production campaigns.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This SOP contains direct write operations that can lower target CPA or pause live ad groups/ads, which can immediately change campaign delivery and spend behavior. In an automation-oriented skill, omitting an explicit warning and confirmation requirement materially increases the risk of unintended production-impacting changes, especially if an agent executes the documented commands autonomously.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The document provides automation steps for pausing campaigns and lowering bids based on computed thresholds, but it omits explicit safety guardrails about traffic loss, conversion interruption, and cascading spend disruption from misconfigured thresholds, time windows, or unit mismatches. In this skill context, the danger is elevated because the commands perform real write operations against live advertising accounts, so an orchestration mistake could immediately suspend delivery or materially alter bidding at scale.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This section promotes automated spend-control actions that directly pause campaigns and change bids based on thresholds, but it does not prominently warn that these actions can immediately disrupt live advertising delivery and business outcomes if thresholds, data freshness, or mappings are wrong. In an ad-account operations skill, such unattended write actions are inherently high-risk because a user or host may enable them assuming they are routine recommendations rather than potentially destructive automations.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal