google-ads-editor
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): This skill presents a significant Indirect Prompt Injection surface. Evidence: (1) Ingestion points: Ad headlines, descriptions, and keywords are ingested from external prompts for database insertion. (2) Boundary markers: No delimiters or instructions to ignore embedded commands are present. (3) Capability inventory: The skill has write access to a local application database using SQL and shell execution. (4) Sanitization: No sanitization or parameterized queries are shown in the SQL examples, which use vulnerable string interpolation.
- COMMAND_EXECUTION (HIGH): The skill provides raw bash and sqlite3 commands (e.g., 'ls', 'sqlite3', 'python3') to interact with the local filesystem and application databases, granting the agent broad shell execution capabilities.
- DATA_EXFILTRATION (HIGH): The skill targets and modifies sensitive application data stored in '~/Library/Application Support/Google/Google-AdWords-Editor/'. Accessing and modifying these application-specific files without using the official API constitutes a high-severity data exposure and integrity risk.
- REMOTE_CODE_EXECUTION (MEDIUM): The skill references an external Python script located at a hardcoded absolute path ('/Users/avysotsky/Projects/vood/vibe-business/scripts/google_ads_db_insert.py') which is not included in the skill package, creating a dependency on unverifiable and potentially malicious local code.
Recommendations
- AI detected serious security threats
Audit Metadata