google-ads

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's Browser Automation Mode explicitly instructs the agent to navigate to and snapshot pages on ads.google.com (see SKILL.md "Navigate to: ads.google.com/aw/campaigns" and references/browser-workflows.md) and to parse account/ad content and then take actions (e.g., pause campaigns), meaning it ingests third-party, user-provided ad data that could influence subsequent tool use.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to manage Google Ads accounts and includes concrete, actionable capabilities to change campaign/keyword state via both API and browser automation. Examples: API Mode shows google-ads SDK usage and a mutate_ad_group_criteria operation to set status=PAUSED; Browser Mode contains step-by-step instructions to check boxes and click "Edit → Pause" to stop campaigns/keywords. Those are backend mutations that directly control ad spend (i.e., they can stop or modify how money is spent). Because the skill's primary purpose is operational control of ad accounts (not just read-only reporting) and it includes explicit API mutations and UI actions to pause/modify campaigns, it meets the "managing ad spend" execution criterion and should be flagged.