Skillv1.2.4

ClawScan security

Ad Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousMar 17, 2026, 5:58 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's description promises multi‑platform automated ad management, but the runtime instructions are just high‑level prompts and there are no declared integrations, credentials, or install steps — this mismatch is unclear and deserves caution.
Guidance: This skill promises automated, multi‑platform ad management but provides only vague prompts and no integration or credential details. That could mean it's incomplete or will ask for ad account credentials at runtime. Before installing or using it: (1) verify the author/source (no homepage and unknown owner is a provenance risk); (2) do not paste account API keys, tokens, or passwords into chat — prefer OAuth or limited‑scope tokens; (3) test any automation with a sandbox or low‑privilege/dummy ad account; (4) require explicit confirmation of what external accounts the skill will access and what scopes it needs; and (5) monitor actions and logs closely. If you expect real multi‑platform automation, prefer a skill that declares its integrations and required credentials up front.

Purpose & Capability: noteThe name/description promise multi‑platform ad automation, ROI optimization and reporting, but the SKILL.md contains only high‑level feature lists and example prompts. No integration details, required credentials, or APIs are declared — so the skill cannot actually perform the claimed external actions as written.
Instruction Scope: noteSKILL.md is extremely brief and vague (only example prompts). It does not instruct the agent how to access ad accounts, where to pull campaign data, or how to publish changes. That vagueness grants the agent broad discretion at runtime and could lead to unexpected requests for credentials or attempts to access external systems.
Install Mechanism: okInstruction‑only skill with no install spec and no code files — lowest installation risk (nothing is written to disk by the skill package itself).
Credentials: noteThe skill declares no required environment variables or credentials, yet its stated purpose normally requires API keys/OAuth for ad platforms. The absence of declared credentials is an inconsistency: either it cannot fulfill its purpose, or it will request credentials at runtime (which should be treated carefully).
Persistence & Privilege: okDoes not request permanent/always presence; default autonomy is allowed (platform default). No indications the skill modifies other skills or system settings.