google-meta-ads-spy 安全扫描报告 — 低风险 | ClawSafe

15 /100

google-meta-ads-spy

Competitor ad spy tool that scrapes ads from Meta, Google, and TikTok, analyzes them with AI, rewrites winning ads for the user's brand, and produces video creatives via InVideo AI.

This is a documentation-only skill (single SKILL.md file) describing a competitor ad-spy tool using external APIs. No executable code is present. Minor concerns around affiliate links and credential inputs, but no malicious behavior detected.

技能名称google-meta-ads-spy

分析耗时44.9s

引擎pi

✓

可以安装

This skill is safe for use. If code/scripts are added in future versions, ensure filesystem:WRITE is declared and no credentials are exfiltrated.

安全发现 3 项

严重性	安全发现	位置
低危	Undeclared network access 文档欺骗 The skill describes calling Apify and InVideo AI external APIs (network operations), but declares no network access in its capability map. Users may not realize this skill makes outbound HTTP requests to third-party services. `[Apify](https://www.apify.com?fpr=dx06p) + [InVideo AI](https://invideo.sjv.io/TBB)` → Declare network:READ in the skill metadata if external API calls are made.	`SKILL.md:5`
低危	Undeclared filesystem access 文档欺骗 The output schema references files like 'outputs/ad_01_15s.mp4', implying filesystem writes for saved creatives, but no filesystem access is declared. `video_urls": ["outputs/ad_01_15s.mp4", "outputs/ad_01_30s.mp4", "outputs/ad_01_60s.mp4"]` → Declare filesystem:WRITE if output files are written to disk.	`SKILL.md:195`
提示	Affiliate link tracking 供应链 External service URLs in SKILL.md contain affiliate tracking parameters (?fpr=dx06p, TBB). This is a standard affiliate marketing pattern used for commission tracking, not a security threat, but it represents a commercial interest embedded in the documentation. `https://www.apify.com?fpr=dx06p` → Consider using clean non-affiliate links to avoid embedding commercial incentives in skill documentation.	`SKILL.md:5`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	SKILL.md describes saving outputs to files but declares no filesystem access and…
网络访问	`NONE`	`READ`	✓ 一致	SKILL.md describes API calls to Apify and InVideo but does not declare WebFetch …
环境变量	`NONE`	`NONE`	—	No environment variable access detected
命令执行	`NONE`	`NONE`	—	No shell or subprocess usage detected
剪贴板	`NONE`	`NONE`	—	No clipboard access described
浏览器	`NONE`	`NONE`	—	No browser automation described
数据库	`NONE`	`NONE`	—	No database access described
技能调用	`NONE`	`NONE`	—	No sub-skill invocation described

2 项发现

🔗

中危外部 URL 外部 URL

https://www.apify.com?fpr=dx06p

SKILL.md:5

🔗

中危外部 URL 外部 URL

https://invideo.sjv.io/TBB

SKILL.md:5

目录结构

1 文件 · 12.4 KB · 313 行

Markdown 1f · 313L

└─ 📝 SKILL.md Markdown 313L · 12.4 KB

安全亮点

✓ No executable code present — this is a pure documentation skill with zero attack surface from scripts

✓ No obfuscated code, base64 payloads, or anti-analysis techniques

✓ No credential harvesting or environment variable theft

✓ No curl|bash, wget|sh, or other remote code execution patterns

✓ No sensitive path access (~/.ssh, ~/.aws, .env)

✓ No persistence mechanisms (cron, startup hooks, backdoors)

✓ No data exfiltration channels or C2 communication

✓ API tokens are user-provided inputs for legitimate external services, not harvested