Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Google Ads
v1.1.0Query, audit, and optimize Google Ads campaigns. Supports two modes: (1) API mode for bulk operations with google-ads Python SDK, (2) Browser automation mode for users without API access - just attach a browser tab to ads.google.com. Use when asked to check ad performance, pause campaigns/keywords, find wasted spend, audit conversion tracking, or optimize Google Ads accounts.
⭐ 12· 5.6k·27 current·29 all-time
byJonathan Rhyne@jdrhyne
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match what the SKILL.md actually instructs: API mode uses the google-ads Python SDK and a google-ads.yaml config; browser mode uses a browser relay to operate on ads.google.com. Declared dependency on python3 and required config path (~/.google-ads.yaml) are appropriate for the stated features.
Instruction Scope
The runtime instructions explicitly tell the agent to read ~/.google-ads.yaml (or google-ads.yaml) and to run python snippets that use the google-ads SDK, and to snapshot/click within the user's browser session. Reading the config is expected for API mode, but it means the agent will access sensitive API credentials/refresh tokens. The skill also references environment variables (GOOGLE_ADS_*) as an alternative, but those env vars are not declared in the registry metadata — a minor mismatch.
Install Mechanism
This is an instruction-only skill with no install spec or code files. That minimizes footprint — the SKILL.md suggests installing the google-ads Python package if needed, but no automatic downloads or archive extraction are declared.
Credentials
The skill requests access to ~/.google-ads.yaml (which contains developer_token, client_id/secret, refresh_token) — this is proportional to API-mode functionality but is sensitive. The registry lists no required env vars, while the docs mention GOOGLE_ADS_* env variables as alternatives; the discrepancy should be resolved. There are no unrelated credentials requested.
Persistence & Privilege
always:false and no install behavior means the skill does not demand permanent presence or elevated platform privileges. It does require an interactive browser relay for browser mode, which is expected and limited to the Google Ads UI context.
Assessment
This skill appears coherent for managing Google Ads, but it will read your local google-ads.yaml (or expect env vars) which contains sensitive tokens (developer token, client_secret, refresh_token). Only install/use it if you trust the skill source (source/homepage are unknown). If you prefer not to expose API credentials, use the browser automation mode (which operates on your logged-in browser session) but ensure the browser relay/extension is trustworthy. Avoid running sample commands that print tokens to stdout; verify any outputs before sharing. If you do provide API credentials and later doubt the skill, rotate the credentials/refresh tokens. Finally, prefer installing the google-ads SDK yourself in a controlled environment rather than letting untrusted code request you to pip-install packages.Like a lobster shell, security has layers — review code before you run it.
latestvk978pxe7kfn97q43m27av46pas8127mn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📊 Clawdis
Any binpython3
Config~/.google-ads.yaml