Adwords

Security checks across malware telemetry and agentic risk

Overview

This is a local copywriting template skill with no network or destructive behavior, though one included helper script can save command history on disk.

Reasonable to install for copywriting help. Avoid passing confidential campaign details, customer data, or secrets to scripts/script.sh unless you are comfortable with them being stored in the local adwords history log, and verify any testimonials, statistics, scarcity, or refund claims before using generated marketing copy.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 73% confidence
Finding: The 'when to use' guidance is overly broad and could cause the skill to be invoked in contexts beyond narrowly scoped ad-copy generation. Overbroad routing language increases the chance of unnecessary access to user prompts or workflow data and makes unintended invocation more likely.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: User-supplied command inputs are written verbatim to a persistent history log without any visible disclosure, consent, retention policy, or redaction. In a copywriting/marketing context, prompts may contain campaign plans, customer data, proprietary messaging, API-like tokens pasted by mistake, or other sensitive business information, so silent logging creates a real privacy and data-exposure risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal