ClawHub

Adagent Google Ads

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Google Ads management skill, but it can affect ad spend and campaign delivery without clearly requiring confirmation first.

Review this skill carefully before installing. Only use it if you trust AdAgent with Google Ads access, treat the MCP connector link like a password, and require explicit confirmation before creating campaigns, changing budgets, enabling campaigns, or pausing active campaigns.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The condition 'wants to manage their Google Ads account' is overly open-ended and can match a wide range of ambiguous requests. In this skill, that ambiguity is more dangerous because the available tools include campaign creation and enable/pause operations against a real third-party account, increasing the chance of unintended account access or modifications.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The condition 'wants to manage their Google Ads account' is overly open-ended and can match a wide range of ambiguous requests. In this skill, that ambiguity is more dangerous because the available tools include campaign creation and enable/pause operations against a real third-party account, increasing the chance of unintended account access or modifications.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill advertises tools that can create campaigns and enable or pause them, but it does not prominently require explicit user confirmation before taking account-modifying actions. In a financial/marketing platform like Google Ads, such actions can directly affect spend, campaign delivery, and business operations, so missing confirmation safeguards increases the risk of costly unintended changes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal