ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Google Ads Agent — PMax & Search Operations

v1.0.0

Manage and optimize Google Ads Search and Performance Max campaigns using AI-driven strategies, asset optimization, audience signals, and conversion tracking...

0· 130·0 current·0 all-time
by@tenlifejosh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description imply active management of Google Ads (making account changes, uploading lists, feeding conversion data), but the package is instruction-only with no declared credentials, API access, or install steps. If a user expects the skill to perform account actions, it cannot do so as provided; the claim is misleading.
!
Instruction Scope
SKILL.md is a comprehensive operational playbook that recommends uploading customer lists, implementing real-time conversion tags, and changing campaign/bidding settings. Those are account-level and PII-bearing operations; the instructions do not specify how to authenticate, where to read data from, or how to protect sensitive customer data, so the runtime scope is under-specified and potentially risky.
Install Mechanism
No install spec or code files are present (instruction-only), so nothing will be written to disk or downloaded by the skill itself. This minimizes direct install risk.
!
Credentials
The skill makes recommendations that require Google Ads/GA4 access and customer data, but it declares no required environment variables, credentials, or config paths. This lack of declared credential needs is disproportionate to the operational actions the skill describes and omits guidance on handling sensitive data or least-privilege access.
Persistence & Privilege
always:false and no install mean the skill does not request persistent/system-wide presence or elevated platform privileges. It also does not attempt to modify other skills or agent config.
What to consider before installing
This appears to be a detailed how-to rather than an agent that will directly operate your Google Ads account. Before installing or using it: (1) Do not assume it will automatically manage campaigns—check whether the skill (or its publisher) will request OAuth/API access; (2) If you intend to let any agent manage accounts, require OAuth via Google's official flows and grant least privilege (read-only or limited manager scopes) and test on a non-production account; (3) Be cautious about uploading customer lists—ensure data is hashed/anonymized and that you have consent and compliance (GDPR/CCPA) in place; (4) Ask the publisher for source, homepage, and provenance (this skill lists none); (5) If you need active management, prefer a skill that declares its credential requirements and installation steps and that uses official APIs rather than an instruction-only playbook; (6) If you proceed, require explicit logging/audit trails and limit any credentials you provide (use ephemeral or scoped tokens, separate ad accounts, and revoke access after testing).

Like a lobster shell, security has layers — review code before you run it.

adsvk973w3pkzyrrq0qj81dcngh5ah839pbcgooglevk973w3pkzyrrq0qj81dcngh5ah839pbclatestvk973w3pkzyrrq0qj81dcngh5ah839pbcmarketingvk973w3pkzyrrq0qj81dcngh5ah839pbcpmaxvk973w3pkzyrrq0qj81dcngh5ah839pbcppcvk973w3pkzyrrq0qj81dcngh5ah839pbcsearchvk973w3pkzyrrq0qj81dcngh5ah839pbc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments