ClawHub
Back to skill

Security audit

Ppc Campaign Strategist

Security checks across malware telemetry and agentic risk

Overview

This instruction-only PPC skill matches its stated purpose, but it tells agents to read and change live ad accounts without clear approval or credential-scope safeguards.

Install only if you are comfortable with an agent using available ad-platform integrations. Prefer read-only or narrowly scoped credentials for analysis, require manual approval before any campaign, bidding, budget, or keyword changes, and avoid connecting production ad accounts unless you have audit logging and rollback procedures.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly encourages executing live Google Ads structural changes such as campaign creation, bid strategy adjustments, and budget reallocation directly through API tooling, but it provides no requirement for user confirmation, dry-run review, or change safeguards. In an agent context, this creates a real risk of unauthorized or accidental modification of production advertising accounts, causing financial loss, campaign disruption, or policy violations.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The skill directs the agent to pull live account data, including account summaries, campaign listings, and auction insights, without any warning about sensitivity, access scope, or customer/business confidentiality. While such access is normal for PPC work, the unrestricted instruction increases the chance of over-collection or exposure of sensitive advertising performance data in environments where permissions and data handling are not clearly controlled.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal