ClawHub

Meta Ads Control

Security checks across malware telemetry and agentic risk

Overview

This Meta Ads helper is mostly coherent, but it gives an agent powerful token-backed Meta API access and can send that token to arbitrary URLs if misused.

Review before installing. Use only least-privileged Meta tokens, avoid production ad accounts until you trust the workflow, keep META_GRAPH_BASE set to the official Meta Graph API host, and require human review for raw request commands or any operation that changes spend, delivery, audiences, creatives, or account data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Tainted flow: 'req' from os.getenv (line 363, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
for attempt in range(self.max_retries + 1):
            req = urllib.request.Request(url, data=data_bytes, headers=headers, method=method)
            try:
                with urllib.request.urlopen(req, timeout=self.timeout) as response:
                    status = response.getcode()
                    response_headers = dict(response.info().items())
                    raw = response.read()
Confidence
92% confidence
Finding
with urllib.request.urlopen(req, timeout=self.timeout) as response:

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares and encourages use of sensitive capabilities including environment-variable access for API tokens, outbound network access to the Meta Graph API, and file read/write for payloads and asset uploads, but the finding indicates these permissions are not explicitly declared. That mismatch is dangerous because it weakens policy enforcement and user review: an agent may be granted broader effective capabilities than are visible in the skill's declared interface, increasing the risk of unauthorized API actions, token misuse, or unintended file access.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The low-level request command exposes near-arbitrary Graph API access, including arbitrary methods, paths, and parameters, which exceeds the higher-level ads-management scope implied by the skill description. In an agent setting, this materially increases the attack surface because prompts can steer the tool into touching unrelated endpoints, performing unintended writes, or querying sensitive data beyond the declared workflow.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal