SECURITY: competitive-ads-extractor instructs ToS-violating scraping of Facebook and LinkedIn #402
Description
Security Report — competitive-ads-extractor skill
Severity: HIGH
Reported by: Security audit during skill evaluation
Date: 2026-03-16
Summary
The competitive-ads-extractor skill instructs automated scraping of Facebook Ad Library and LinkedIn, which violates both platforms Terms of Service and may expose users to legal liability.
Finding 1 — HIGH: Instructs web scraping in violation of platform ToS
The SKILL.md explicitly describes scraping Facebook Ad Library and LinkedIn. Both platforms Terms of Service prohibit automated scraping. The skill instructs Claude to:
- Access facebook.com/ads/library programmatically
- Extract and save screenshots of ads to ~/competitor-ads/
- Repeat this for LinkedIn
This constitutes instructed ToS violation and could trigger:
- Account bans on Facebook/LinkedIn
- Legal action under the Computer Fraud and Abuse Act (CFAA) or equivalent statutes
- Reference cases: Meta v. Bright Data, LinkedIn v. hiQ
- IP-level blocking
Finding 2 — HIGH: Uncontrolled outbound network activity
The skill instructs making network requests to facebook.com and linkedin.com during execution. Unlike other skills in this repo, this is NOT using a documented API — it is instructed scraping. The actual implementation mechanism (which browser automation tool, which HTTP library) is unspecified, creating unpredictable behavior.
Finding 3 — MEDIUM: Arbitrary file write
The skill saves screenshots to ~/competitor-ads/ and subdirectories without user confirmation of the write location.
Finding 4 — LOW: Contradictory Legal and Ethical section
The Legal and Ethical section (lines 205-209) includes a disclaimer to only use for research and inspiration and not to plagiarize. However, the core capability described is automated scraping, which the disclaimer section simultaneously endorses and contradicts. Presence of a disclaimer does not make the instructed activity legal or safe.
Impact
- Legal risk: Users may unknowingly violate ToS and face legal consequences
- Account risk: Social media accounts used for scraping may be banned
- Reputational risk: Automated scraping from a skill library reflects poorly on the project
Recommendation
- Replace scraping with official APIs: Facebook provides an Ad Library API (https://www.facebook.com/ads/library/api/) and LinkedIn offers a Marketing API — both provide programmatic access within their terms of service
- Add clear warnings about the legal risks of web scraping
- Document required API credentials and rate limits for the official APIs
- Remove screenshot scraping instructions entirely
This issue was filed as a responsible disclosure to protect users of this skill library.