AdWhiz
ReviewAudited by ClawScan on May 10, 2026.
Overview
AdWhiz appears coherent for ad management, but it grants broad AI-accessible authority over paid Google and Meta ad accounts, including actions that can affect spend and public ads.
Install only if you are comfortable letting an AI-accessible hosted service manage real ad accounts. Start with read-only auditing, connect the smallest necessary account scope, use low-budget or test accounts first, and carefully review any confirmation that changes budgets, statuses, ads, campaigns, or conversion tracking.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved too broadly or used carelessly, the agent could change budgets, enable or remove campaigns, alter ads, or affect live advertising spend.
The skill exposes many write tools that can directly change ad delivery and spending. Confirmation and paused defaults are useful mitigations, but the artifacts do not show hard spend caps, per-account restrictions, or rollback controls.
`Write (45 tools) — Requires user confirmation` ... `set_campaign_status | Pause, enable, or remove a campaign` ... `update_budget | Update budget amount or name`
Use this only with accounts you intend the agent to manage, review every write confirmation carefully, start with read-only audits, and prefer test or limited-budget accounts where possible.
A broadly linked account or exposed API key could give access to many ad accounts under the user's advertising hierarchy.
The API key represents delegated access to connected ad accounts, and MCC expansion may cover multiple child accounts. This is aligned with the purpose, but users should understand the breadth of access before linking accounts.
`ADWHIZ_API_KEY` is bound to a single user's connected accounts ... `list_accounts` | List all accessible Google Ads accounts (auto-expands MCC child accounts)
Link only the needed Google/Meta accounts, avoid connecting broad manager accounts unless necessary, protect the ADWHIZ_API_KEY, and revoke it when no longer needed.
Ad account data and delegated credentials are handled by an external service, not only by the local agent.
The hosted MCP proxy is the trust boundary for ad data and provider tokens. This is disclosed and expected for the integration, but it means sensitive account access depends on the provider's service controls.
All API calls are authenticated via your personal `ADWHIZ_API_KEY` and routed through the AdWhiz server at `mcp.adwhiz.ai` ... Refresh tokens (Google) and long-lived access tokens (Meta) are encrypted at rest
Use this only if you trust AdWhiz's hosted service, review its privacy/security practices, and confirm you can revoke connected Google/Meta access.