ads-manager-agent

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests content from arbitrary public URLs (e.g., the research_keywords optional website_url and the requirement to upload creative assets from public Google Drive/S3/Dropbox links), which are untrusted third-party sources that the agent reads/validates and that directly influence keyword research and campaign-creation/management decisions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly connects to ad platform APIs and can perform write actions that change ad spend: creating campaigns (create_search_campaign, create_pmax_campaign, create_meta_image_campaign, etc.), updating campaign settings (update_campaign / update_meta_campaign), pausing/resuming campaigns, changing bid strategies (update_bid_strategy), and performing budget operations (optimize_budget_allocation, optimize_meta_budget, optimize_linkedin_budget). The prompt even states these tools operate on "REAL ad accounts that spend REAL money" and includes APIs to modify budgets and campaign state (write operations), albeit with required user confirmation. Per the core rule, presence of APIs to update/manage ad budgets is considered Direct Financial Execution.