google-ads
Warn
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [Data Exposure & Exfiltration] (MEDIUM): The skill transmits the
MATON_API_KEYand all Google Ads query data to non-whitelisted domains (gateway.maton.ai,ctrl.maton.ai). While functional for the skill's purpose, the infrastructure acts as a man-in-the-middle for sensitive advertising data and credentials. - [Indirect Prompt Injection] (MEDIUM): The skill possesses a vulnerability surface for indirect prompt injection.
- Ingestion points: Data returned from GAQL queries via
gateway.maton.ai(e.g., campaign names, ad group descriptions). - Boundary markers: Absent; the skill does not wrap external content in delimiters or provide 'ignore instructions' warnings.
- Capability inventory: Network access and local script execution (as shown in examples).
- Sanitization: Absent; external content is processed and returned directly to the agent context.
- [Dynamic Execution] (MEDIUM): The documentation provides multiple examples of executing multi-line Python scripts via shell heredocs (
python <<'EOF'). If an agent follows these examples to perform tasks, it is executing dynamically generated code. - [Metadata Poisoning] (LOW): There is a discrepancy between the author listed in
SKILL.md('maton') and the owner in_meta.json('byungkyu'). This could lead to confusion regarding the provenance and maintenance of the skill.
Audit Metadata