google-ads

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt includes explicit commands that print local credential files (e.g., "cat ~/.google-ads.yaml"), which would expose API client secrets into the agent context and require the LLM to handle/output secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's Browser Mode (SKILL.md and references/browser-workflows.md) instructs the agent to navigate to and snapshot/parse pages on ads.google.com (e.g., ads.google.com/aw/campaigns and ads.google.com/aw/keywords), meaning it ingests third‑party web content and uses that content to drive decisions like pausing campaigns.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly provides API and browser workflows to modify Google Ads entities (pause keywords/campaigns) and to perform account-changing operations via the Google Ads API (example: building AdGroupCriterionOperation and calling mutate_ad_group_criteria). These are not mere read-only or generic tools — they are concrete, documented actions that change ad state and thereby control ad spend (including recommendations to change/increase budgets). Because it contains specific, actionable API calls and browser steps to alter campaigns and keywords (i.e., to stop or change spending), it meets the "Direct Financial Execution" criterion for managing ad spend.