Google Ads
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: google-ads Version: 1.1.0 The skill is classified as suspicious due to the instruction in `SKILL.md` to execute `cat ~/.google-ads.yaml`. While the skill legitimately requires access to Google Ads API credentials, directly instructing the agent to `cat` a file containing sensitive API keys (developer token, client ID/secret, refresh token) poses a significant information disclosure vulnerability if the agent's output or logging mechanisms are not securely handled. This is a risky capability without clear malicious intent, aligning with the definition of suspicious behavior rather than intentional malice.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A leaked Google Ads refresh token or client secret could let someone access or change advertising accounts.
The skill directs the agent toward privileged Google Ads credentials and includes a command that prints the local config file. That file typically contains secrets such as refresh tokens and client secrets, so printing it can expose credentials into the chat or logs.
API Mode - If user has `google-ads.yaml` configured or `GOOGLE_ADS_*` env vars ... **Requirements:** Google Ads API developer token + OAuth credentials ... `cat ~/.google-ads.yaml`
Do not print the full config file. Use existence/permission checks or a redacted parser, declare the credential requirements clearly, and require explicit user permission before reading any credential file.
If used on the wrong customer ID, campaign, keyword, or budget, the agent could pause ads or change spending in a live advertising account.
The reference docs include direct Google Ads mutation operations that can change campaign budgets or statuses. This is aligned with the skill purpose, but it affects real ad spend and should be handled carefully.
def update_budget(customer_id, budget_id, new_amount_micros): ... budget.amount_micros = new_amount_micros ... response = campaign_budget_service.mutate_campaign_budgets(...)
Before any mutation, require a user-visible dry run with customer ID, account name, campaign/keyword IDs, old values, new values, and an explicit confirmation.
Future package changes could affect behavior or compatibility.
The setup guide installs the Google Ads SDK from PyPI without pinning a version. This is a normal setup pattern for an API integration, but package provenance and version drift are still worth noting.
pip install google-ads # Or with venv python -m venv google-ads-venv source google-ads-venv/bin/activate pip install google-ads
Install in a virtual environment and consider pinning an audited google-ads package version.