Google Ads Strategy: Search Campaigns, Keywords, Ad Copy, Negative Keywords, Quality Score

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Google Search Ads guidance skill with an optional AdKit CLI workflow, not a hidden or destructive package.

Install only if you want Google Search Ads help. Before letting it execute through AdKit, review any campaign, keyword upload, budget, or ad-publishing action because those can affect a real ads account and spend money. Keep sensitive unrelated files out of the workspace if you do not want the agent to see them while looking for `ad-process.md` or `ad-brief.md`.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The manifest frames the skill as guidance for planning, launching, and optimizing Google Search campaigns. Running a local command to detect installed software is a separate host-environment capability that is not clearly justified by the stated advisory scope, especially since the rest of the skill is presented as a decision guide and can operate manually without local execution.

Natural-Language Policy Violations

Low

Confidence: 83% confidence
Finding: Line L09 instructs users to split campaigns when they need different 'language,' which is a natural-language locale constraint. Because the document presents this as a blanket structural rule rather than an optional or region-specific practice, it can be read as forcing language segmentation without user opt-in or justification.

Natural-Language Policy Violations

Medium

Confidence: 94% confidence
Finding: The section 'Wrong Geography or Language' advises adding language terms as negatives for non-target markets. This is a natural-language locale policy concern because it prescribes excluding users based on language without offering user choice, opt-in, or a documented compliance/regional justification.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The manifest trigger list includes generic phrases such as "ppc" (L19), "keyword research" (L20), and "cpc" (L25) that can apply to many advertising contexts beyond Google Search Ads. Although the description narrows the skill's domain, the trigger list itself lacks explicit constraints or negative examples, increasing the risk of unintended invocation.

Shadow Command Trigger

Medium

Category: Trigger Abuse
Confidence: 70% confidence
Finding: Shadow Command Trigger: 'search ads' conflicts with built-in command 'search'

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal