meta-ads-intel
Fail
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands using user-provided input in the
$ARGUMENTSvariable (meta-ads intel run $ARGUMENTS). If this input is not strictly validated, an attacker could provide shell metacharacters to execute arbitrary code. - [CREDENTIALS_UNSAFE]: During onboarding, the skill requests a Meta API access token and passes it as a command-line argument (
meta-ads setup --non-interactive --token "<token>"). This practice exposes sensitive credentials in the system's process list and potentially in shell history files. - [COMMAND_EXECUTION]: The onboarding instructions explicitly suggest the use of
sudofor installing the CLI tool (sudo npm i -g meta-ads), which is a privilege escalation pattern that can be used to compromise the host system. - [EXTERNAL_DOWNLOADS]: The skill requires the global installation of an external package
meta-adsfrom NPM. While the package name aligns with the author's namespace, installing global packages involves high-privilege operations and executes code from a remote registry. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and analyzes untrusted data (ad copy) from the Meta API without sanitization.
- Ingestion points:
creative-analysis.jsoncontainscreative_body(raw ad copy). - Boundary markers: Absent. The agent is instructed to analyze the copy using the "Four Horsemen" framework without delimiters to isolate the untrusted text.
- Capability inventory: The skill can execute shell commands via
meta-ads, write files to the home directory, and spawn subagents with web search capabilities. - Sanitization: Absent. There is no logic to filter or escape malicious instructions embedded in the retrieved ad copy.
Recommendations
- AI detected serious security threats
Audit Metadata