google-ads-audit

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required Phase 4 and references explicitly instruct the agent to crawl and WebFetch the user's website (homepage, about, services, and top 3 ad landing pages) and to WebSearch areas for policy freshness, which ingests open/public third‑party web content and uses it to populate business-context.json and drive audit decisions—exposing the agent to untrusted external content that can materially influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill calls a runtime script baseline at adsagent://playbooks/audit-account (used by runScript/ads.gaqlParallel) which supplies executable query/script behavior, and it issues WebFetch calls to the user's site roots (e.g., https://{root_url} such as https://example.com) at runtime whose fetched content is injected into business-context.json and therefore directly controls agent context and instructions.