skills/gnoviawan/agentic-marketing/bmad-agent-marketing-paid-ads/Snyk

bmad-agent-marketing-paid-ads

Warn

Audited by Snyk on Apr 1, 2026

Risk Level: MEDIUM

Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 1.00). The skill's competitive-research workflow (references/competitive-research.md) explicitly runs agent-browser to open and scrape public third-party pages like the Meta Ad Library, Google Ad Transparency Center, TikTok Creative Center, and competitor landing pages and then extracts their text/body for analysis, meaning untrusted external content is read and used to drive campaign decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.80). The skill runs agent-browser commands at runtime to open and extract remote pages (e.g. "https://www.facebook.com/ads/library/?active_status=active&ad_type=all&country=ALL&q={competitor-name}&search_type=keyword_unordered"), and that fetched page text is read into the agent (controlling its context/output) as a required research dependency.

Issues (2)

W011

MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012

MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata

Risk Level

MEDIUM

Analyzed

Apr 1, 2026, 03:17 AM

Issues

2