Openclaw Google Ads

v0.2.0

Shared Google Ads API skill for OpenClaw agents. Query account, campaign, ad group, keyword, search term, and performance data with local scripts and GAQL ex...

⭐ 1· 528·1 current·1 all-time

bySebastian The Claw@sebclawops

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

The skill's name, SKILL.md, references, and scripts consistently implement Google Ads reporting and GAQL querying. However the registry metadata lists no required environment variables or primary credential while the included references and scripts clearly expect Google Ads credentials (developer token, client id/secret, refresh token, optional manager/client IDs). The metadata omission is an incoherence that could mislead users about what secrets the skill needs.

ℹ

Instruction Scope

SKILL.md gives scoped, read-first instructions and requires explicit approval for live changes. It correctly points to reference docs and scripts for repeatable queries. A risk: scripts/authenticate.py prints the obtained refresh token to stdout (so an operator can copy it), which contradicts the 'never expose tokens' safety rule in the docs and could leak tokens to logs or chat if the agent captures console output. The browser-fallback is restricted in the docs and is reasonable when API access is unavailable.

✓

Install Mechanism

This is instruction-only (no install spec). There is a requirements.txt (google-ads and google-auth packages) but installation would be a standard pip install by the operator. No arbitrary downloads or extract steps are specified.

Credentials

The skill requires multiple sensitive environment variables (GOOGLE_ADS_DEVELOPER_TOKEN, GOOGLE_ADS_CLIENT_ID, GOOGLE_ADS_CLIENT_SECRET, GOOGLE_ADS_REFRESH_TOKEN, optional account IDs and login_customer_id), as documented in references/api-setup.md and used by the scripts. The registry metadata incorrectly lists no required env vars or primary credential. Requesting these Google Ads secrets is proportionate to the skill's purpose, but the metadata omission is a material mismatch and increases the risk of accidental exposure or misuse.

✓

Persistence & Privilege

always is false and the skill does not request system-wide persistence or attempt to modify other skills or agent settings. The skill runs as-needed scripts and does not claim permanent elevated privileges.

What to consider before installing

This skill appears to be a legitimate Google Ads reporting/audit utility, but exercise caution before installing or running it: - The registry metadata does NOT declare the environment variables the scripts actually require. Expect to need at least: GOOGLE_ADS_DEVELOPER_TOKEN, GOOGLE_ADS_CLIENT_ID, GOOGLE_ADS_CLIENT_SECRET, GOOGLE_ADS_REFRESH_TOKEN, and optionally manager/client account IDs. Treat these as sensitive and provide them via your secure runtime secret injection, not by pasting into files. - The authenticate.py script prints the refresh token to stdout so you can copy it into secure storage. Do not run that in a context where console output is captured or sent to chat/logs you don't control. Prefer running it in a secure terminal and immediately storing the token in your vault. - Review the code (it's short and included) and confirm you trust the unknown publisher and the environment where you will run it; the repo has no homepage/source contact. Verify your logging and agent capture settings to ensure tokens and PII are not accidentally forwarded. - Install dependencies (requirements.txt) in an isolated environment if you decide to run anything. Consider running read-only scripts first (get_account_summary, gaql_query) and require explicit human approval before making any live changes. If you want higher assurance, ask the publisher to update the registry metadata to list the required env vars and to change authenticate.py to avoid printing secrets directly (for example, prompt to store the token into a secure credential store instead).

Like a lobster shell, security has layers — review code before you run it.

latestvk976mv6fja3gk4a383yhyf193s82xr0b

528downloads

1stars

3versions

Updated 16h ago

v0.2.0

MIT-0

OpenClaw Google Ads

Use this skill for Google Ads API work across agents.

This is a shared skill, not a Sea Cool-only skill. Keep account-specific practices in project docs or memory, not in the core skill.

Use this skill for

campaign and account performance reporting
account health audits
wasted spend review
search term and keyword analysis
conversion tracking review
structured GAQL querying
production-safe recommendations before live changes

Default stance

Start read-only. Analyze first, recommend second, change last. Do not make live account changes without explicit approval.

Access model

Google Ads API Basic Access is suitable for real production use. If credentials are missing or invalid, stop and fix access before pretending the skill can do real work.

Setup and references

Read only what you need:

references/api-setup.md for credentials, auth flow, and connection testing
references/gaql-examples.md for query patterns
references/audit-workflows.md for practical account review flows
references/optimization.md for optimization heuristics and common mistakes
references/browser-fallback.md only when API access is unavailable or UI confirmation is explicitly needed

Available scripts

scripts/authenticate.py
scripts/gaql_query.py
scripts/get_account_summary.py
scripts/get_campaigns.py

Use scripts for repeatable API work. Use references for judgment.

Safety rules

never expose tokens or credentials in files or chat
prefer read-only analysis before any operational change
require explicit approval for pausing, enabling, editing, or budget changes
treat optimization advice as heuristics, not universal truth
when customer-identifying data appears in exported reports or account notes, apply PII protection before broader model use