ai-ads-agent

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly requires fetching and ingesting arbitrary public URLs (e.g., "Public Google Drive link, AWS S3 URL, Dropbox / any public URL" for creative uploads and the optional website_url parameter for keyword research), meaning the agent will read and act on untrusted, user-provided web content as part of campaign creation and optimization workflows, which could materially influence its actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly connects to ad platform APIs and performs write operations that change ad spend and campaign state. It lists functions that create campaigns, modify campaign settings, pause/resume campaigns, change bid strategies, and — critically — perform budget operations: optimize_budget_allocation, optimize_meta_budget, optimize_linkedin_budget, and update_campaign (which can modify budgets). Those are concrete, platform-specific actions that can update ad budgets and therefore move money. Even though campaigns are created PAUSED by default and safety rules require confirmation, the skill is specifically designed to manage and update ad spend via platform APIs.