ads-agent
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Command Execution] (LOW): The skill leverages an external MCP server (
meta-ads) with 46 specialized tools for Facebook API interaction. While powerful, these are used within a defined framework for ad management. - [Prompt Injection] (LOW): Risk of Indirect Prompt Injection (Category 8):
- Ingestion points: Reads sensitive configuration and historical data from
.claude/ads-agent/config/and.claude/ads-agent/history/. - Boundary markers: Absent; the agent does not appear to use delimiters to distinguish between system instructions and data read from these files.
- Capability inventory: Extensive capabilities including
update_adset(budget changes),create_campaign, andpause_advia themeta-adsserver. - Sanitization: Absent; no explicit validation of the content within the briefs or history files is mentioned.
- [Data Exposure] (LOW): The agent accesses local files containing account identifiers and marketing strategies (briefs). While no credentials are hardcoded, these files contain proprietary business data.
Audit Metadata