google-meta-ads-spy Security Report — Low Risk | ClawSafe

15 /100

google-meta-ads-spy

Competitor ad spy tool that scrapes ads from Meta, Google, and TikTok, analyzes them with AI, rewrites winning ads for the user's brand, and produces video creatives via InVideo AI.

This is a documentation-only skill (single SKILL.md file) describing a competitor ad-spy tool using external APIs. No executable code is present. Minor concerns around affiliate links and credential inputs, but no malicious behavior detected.

Skill Namegoogle-meta-ads-spy

Duration44.9s

Enginepi

✓

Safe to install

This skill is safe for use. If code/scripts are added in future versions, ensure filesystem:WRITE is declared and no credentials are exfiltrated.

Findings 3 items

Severity	Finding	Location
Low	Undeclared network access Doc Mismatch The skill describes calling Apify and InVideo AI external APIs (network operations), but declares no network access in its capability map. Users may not realize this skill makes outbound HTTP requests to third-party services. `[Apify](https://www.apify.com?fpr=dx06p) + [InVideo AI](https://invideo.sjv.io/TBB)` → Declare network:READ in the skill metadata if external API calls are made.	`SKILL.md:5`
Low	Undeclared filesystem access Doc Mismatch The output schema references files like 'outputs/ad_01_15s.mp4', implying filesystem writes for saved creatives, but no filesystem access is declared. `video_urls": ["outputs/ad_01_15s.mp4", "outputs/ad_01_30s.mp4", "outputs/ad_01_60s.mp4"]` → Declare filesystem:WRITE if output files are written to disk.	`SKILL.md:195`
Info	Affiliate link tracking Supply Chain External service URLs in SKILL.md contain affiliate tracking parameters (?fpr=dx06p, TBB). This is a standard affiliate marketing pattern used for commission tracking, not a security threat, but it represents a commercial interest embedded in the documentation. `https://www.apify.com?fpr=dx06p` → Consider using clean non-affiliate links to avoid embedding commercial incentives in skill documentation.	`SKILL.md:5`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	SKILL.md describes saving outputs to files but declares no filesystem access and…
Network	`NONE`	`READ`	✓ Aligned	SKILL.md describes API calls to Apify and InVideo but does not declare WebFetch …
Environment	`NONE`	`NONE`	—	No environment variable access detected
Shell	`NONE`	`NONE`	—	No shell or subprocess usage detected
Clipboard	`NONE`	`NONE`	—	No clipboard access described
Browser	`NONE`	`NONE`	—	No browser automation described
Database	`NONE`	`NONE`	—	No database access described
Skill Invoke	`NONE`	`NONE`	—	No sub-skill invocation described

2 findings

🔗

Medium External URL 外部 URL

https://www.apify.com?fpr=dx06p

SKILL.md:5

🔗

Medium External URL 外部 URL

https://invideo.sjv.io/TBB

SKILL.md:5

File Tree

1 files · 12.4 KB · 313 lines

Markdown 1f · 313L

└─ 📝 SKILL.md Markdown 313L · 12.4 KB

Security Positives

✓ No executable code present — this is a pure documentation skill with zero attack surface from scripts

✓ No obfuscated code, base64 payloads, or anti-analysis techniques

✓ No credential harvesting or environment variable theft

✓ No curl|bash, wget|sh, or other remote code execution patterns

✓ No sensitive path access (~/.ssh, ~/.aws, .env)

✓ No persistence mechanisms (cron, startup hooks, backdoors)

✓ No data exfiltration channels or C2 communication

✓ API tokens are user-provided inputs for legitimate external services, not harvested

Scan Report

Findings 3 items

File Tree

Security Positives