meta-ads
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it incorporates external, untrusted data into its automated reasoning and generation stages.
- Ingestion points: Untrusted data enters the context via
lp_analyzer.py(scrapes landing page content) andad_library.py(scrapes competitor ad copy from the Meta Ad Library). - Boundary markers: Prompts in
campaign/references/stage-prompts.mdandscripts/copy_generator.pyinterpolate the scraped text directly into instructions for the LLM without using structured delimiters (like XML tags) or 'ignore embedded instructions' warnings. - Capability inventory: The skill possesses high-impact capabilities through
scripts/meta_api.py, which can create campaigns, ads, and ad creatives, as well as modify ad set status and budgets. - Sanitization: There is no evidence of filtering or sanitization of scraped content before it is processed by the LLM, creating a surface where a malicious website could attempt to hijack the agent's ad management logic.
- Mitigation: The workflow includes explicit 'Approval gates' at the Strategy, Creative, and Upload stages, ensuring that no malicious output is deployed to a live account without human verification.
Audit Metadata