Yuri广告平台 MCP API - Facebook广告创建、投放管理、数据监控。支持创建Campaign/Ad Set/Ad、查询余额、受众定位、文案素材管理、预算调整等。

Security checks across malware telemetry and agentic risk

Overview

This appears to be an advertising account automation skill, but it exposes live campaign publishing, budget, and deletion actions that need careful review before use.

Install only if you are comfortable giving the skill authority over real ad campaigns. Use least-privilege ad-account credentials, start with sandbox or low-budget test campaigns, and require a separate explicit confirmation before any publish, budget change, start/stop, copy, or delete action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill documents high-impact mutation actions such as campaign creation, publishing, budget adjustment, stopping, starting, copying, and deletion for real advertising accounts, some of which explicitly auto-trigger publishing or billing-affecting changes. Although the file includes general safety guidance earlier, the dangerous operations are presented at the point of use without strong inline warnings, confirmations, or guardrails, which increases the risk of accidental spend, service disruption, or unwanted ad changes when an agent or operator follows the workflow mechanically.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal