Amazon Advertising
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is a coherent Amazon Advertising integration, but it grants access to OAuth-backed ad account actions that can change campaigns and budgets without visible approval or scoping guardrails.
Install only if you are comfortable granting Membrane-backed access to your Amazon Advertising account. Before allowing any create, update, budget, state, or bidding action, ask the agent to show the exact profile, campaign, proposed changes, and expected spend impact, and approve each mutation explicitly.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If connected to an Amazon Advertising account, an agent could make changes that affect campaign configuration or ad spend.
The skill exposes actions that can create or modify advertising campaigns and budgets. In the provided artifact text, there is no visible instruction to require explicit user approval or restrict scope before these high-impact mutations.
| Create Campaign | create-campaign | Create a new Sponsored Products campaign with budget, targeting type, and bidding strategy. | ... | Update Campaign | update-campaign | Update an existing Sponsored Products campaign settings like budget, state, or dates. |
Require explicit user confirmation for all create, update, budget, state, and bidding changes; show the target profile/campaign and proposed diff before execution; prefer dry-run or read-only workflows by default.
The connected account may remain usable through Membrane for future Amazon Advertising actions within the granted permissions.
The skill uses delegated authentication and credential refresh for Amazon Advertising through Membrane. This is expected for the integration, but it grants ongoing account authority.
Membrane handles authentication and credentials refresh automatically
Use the least-privileged Amazon Advertising account/profile available, review authorization scopes during login, and revoke the Membrane connection when it is no longer needed.
The installed CLI version may differ over time, and a compromised or unexpected package version would affect all commands run through this skill.
The setup asks for a global CLI install using an unpinned latest npm package. This is central to the skill’s purpose, but it means behavior can change as the package updates.
npm install -g @membranehq/cli@latest
Install the CLI from the official source, consider pinning a reviewed version, and update it deliberately rather than relying on @latest.
Amazon Advertising account metadata, campaign data, and action inputs may pass through Membrane while using the skill.
Membrane acts as an intermediary for Amazon Advertising actions and authentication. The data flow is disclosed and purpose-aligned, but the provided text does not describe retention or detailed data-boundary controls.
This skill uses the Membrane CLI to interact with Amazon Advertising.
Review Membrane’s privacy and security terms, avoid sending unnecessary sensitive business data, and confirm which workspace or tenant is being used.