afa-gg

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.80). Yes — the prompt instructs the agent to "append new learnings to learnings.jsonl" and explicitly "Follow the silent capture protocol," which implies covert data capture/storage beyond the visible Google Ads optimization duties and is therefore a hidden/deceptive instruction outside the skill's stated purpose.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill explicitly requires ingesting a user-provided store_url (module-specific execution inputs / Phase 2 "收集模块特定执行输入" in SKILL.md) to inspect landing pages as part of its diagnostic and optimization workflow, so it will read and act on untrusted third‑party website content that can materially influence decisions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a Google Ads optimization engine and its workflow includes concrete actions that modify ad spend: "增加预算、扩量、规模化", "降低日预算", "暂停低效系列", and references to "planning-and-budget.md" for budget allocation and execution. Those are specific ad-spend management operations (not generic browsing or diagnostics) and imply updating campaign budgets/controls. Managing ad spend budgets via an API fits the listed Direct Financial Execution category.