Microsoft Ads MCP
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is coherent for Microsoft Ads management, but users should realize it installs an external MCP server and gives it credentials and authority to create or activate paid ads.
Install only if you are comfortable reviewing and running the external MCP server. Use a limited Microsoft Ads account, keep campaigns paused until manually reviewed, confirm all budgets and ad text before activation, and protect or revoke credentials when needed.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A wrong command or unreviewed agent action could create, modify, or activate paid advertising campaigns.
The documented tools can create and activate paid ad campaigns. This is central to the skill's purpose and disclosed, but mistakes or autonomous use could spend money or publish unintended ads.
mcporter call microsoft-ads.create_campaign '{"name": "My Campaign", "daily_budget": 20}' ... mcporter call microsoft-ads.update_campaign_status '{"campaign_id": 123456, "status": "Active"}'Use explicit human approval for campaign creation, budget changes, ad publishing, and activation; start campaigns paused and verify account IDs, budgets, and ad text before activation.
Anyone or any agent process using the configured MCP server may be able to act on the connected Microsoft Ads account according to the granted permissions.
The skill requires Microsoft Ads/Azure credentials and OAuth authentication. These are expected for the integration, but they grant access to an advertising account.
"MICROSOFT_ADS_DEVELOPER_TOKEN": "your_token", "MICROSOFT_ADS_CLIENT_ID": "your_azure_app_client_id" ... mcporter call microsoft-ads.complete_auth
Use the least-privileged Microsoft Ads account possible, protect the mcporter config file, rotate credentials if exposed, and revoke OAuth access when no longer needed.
Installing the external server means trusting code and Python packages outside the submitted skill artifact.
The skill relies on external repository code and dependencies that are not included in the artifact set. This is a common setup pattern, but provenance and dependency contents were not reviewed here.
git clone https://github.com/Duartemartins/microsoft-ads-mcp-server.git cd microsoft-ads-mcp-server pip install -r requirements.txt
Review the GitHub repository, pin or inspect dependencies, and install in an isolated environment before connecting real advertising credentials.