ClawHub

Pilot Ad Campaign Manager Setup

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed setup guide for a multi-agent ad campaign workflow, with some external reporting risk users should configure carefully.

Before installing, review each pilot-* dependency, especially pilot-escrow, pilot-slack-bridge, and pilot-webhook-bridge. Configure Slack/webhook destinations deliberately, avoid sending raw audience or user-level data, and use test campaign data until trust relationships and reporting boundaries are clear.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly documents sending campaign reports to an external destination and using Slack/webhook bridge skills, but it provides no warning about what data may leave the environment, what should be redacted, or how trust boundaries should be enforced. In an ad-tech workflow, reports can contain campaign performance data, audience details, spend, and potentially linked business-sensitive or regulated marketing data, so normalizing external publication without guardrails increases the chance of accidental data exposure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill configures outbound reporting to Slack and external webhooks but does not warn the user that campaign data may be transmitted to third-party services. This creates a real risk of unintended data disclosure, especially if campaign reports include spend, performance, audience, or other sensitive business information.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal