google-ads

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's routing logic for "landing-review" in SKILL.md explicitly says it "Uses browser/fetch to inspect actual landing pages," meaning the agent will fetch and interpret arbitrary public websites (untrusted third‑party content) as part of its diagnostic workflow and use that content to create actionable drafts—exposing it to indirect prompt injection risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to read and write Google Ads accounts via a connected MCP server and the Google Ads API. It defines GAQL queries for live data, a draft → apply workflow, and an /google-ads apply command that executes approved drafts via the Google Ads API (v1 scope: add negatives & pause entities; future scope: controlled write-back of approved drafts). It also includes a /google-ads budget command and produces "budget drafts" for reallocation. Because it contains explicit API-backed write capabilities against ad accounts (and is intended to perform account changes that directly affect ad spend, with future plans for broader write-back), this constitutes direct financial execution authority over ad spend.