AdWhiz
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: adwhiz Version: 2.3.0 The AdWhiz skill bundle is a legitimate integration for managing Google Ads and Meta Ads via a hosted MCP server (mcp.adwhiz.ai). It defines 102 tools for account management, reporting, and campaign optimization using standard HTTP transport and API key authentication. The documentation in SKILL.md outlines a clear security model, including OAuth 2.0 for platform access and user confirmation for write operations, with no evidence of malicious intent, data exfiltration, or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved too broadly or used carelessly, the agent could change budgets, enable or remove campaigns, alter ads, or affect live advertising spend.
The skill exposes many write tools that can directly change ad delivery and spending. Confirmation and paused defaults are useful mitigations, but the artifacts do not show hard spend caps, per-account restrictions, or rollback controls.
`Write (45 tools) — Requires user confirmation` ... `set_campaign_status | Pause, enable, or remove a campaign` ... `update_budget | Update budget amount or name`
Use this only with accounts you intend the agent to manage, review every write confirmation carefully, start with read-only audits, and prefer test or limited-budget accounts where possible.
A broadly linked account or exposed API key could give access to many ad accounts under the user's advertising hierarchy.
The API key represents delegated access to connected ad accounts, and MCC expansion may cover multiple child accounts. This is aligned with the purpose, but users should understand the breadth of access before linking accounts.
`ADWHIZ_API_KEY` is bound to a single user's connected accounts ... `list_accounts` | List all accessible Google Ads accounts (auto-expands MCC child accounts)
Link only the needed Google/Meta accounts, avoid connecting broad manager accounts unless necessary, protect the ADWHIZ_API_KEY, and revoke it when no longer needed.
Ad account data and delegated credentials are handled by an external service, not only by the local agent.
The hosted MCP proxy is the trust boundary for ad data and provider tokens. This is disclosed and expected for the integration, but it means sensitive account access depends on the provider's service controls.
All API calls are authenticated via your personal `ADWHIZ_API_KEY` and routed through the AdWhiz server at `mcp.adwhiz.ai` ... Refresh tokens (Google) and long-lived access tokens (Meta) are encrypted at rest
Use this only if you trust AdWhiz's hosted service, review its privacy/security practices, and confirm you can revoke connected Google/Meta access.