Fullrun
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This Google Ads skill is purpose-aligned, but it can use an API key and external CLI to automatically change campaigns and budgets without clearly bounded approval or rollback.
Install only if you trust the Fullrun CLI and are comfortable granting it Google Ads authority. Use a restricted API key, confirm the connected account, run diagnostic commands first, and require a human-reviewed change plan before allowing `fullrun run` to modify campaigns or budgets.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overbroad optimization could change campaigns, budgets, or other ad settings and affect advertising spend or performance.
This exposes a single CLI action that can automatically make Google Ads account changes, without documenting per-change user approval, dry-run output, rollback, or precise campaign/budget scope.
`fullrun run` — Trigger a full AI-powered optimization run. The agent triages the account and fixes the highest-priority issues automatically.
Require explicit user confirmation and a reviewed change plan before running `fullrun run`; prefer diagnostic commands first and limit actions to specified campaigns or budgets.
If the API key has broad access, the skill may be able to view and modify more Google Ads data or campaigns than the user intended.
The required API key is paired with account-wide read and automatic write operations, but the artifacts do not define the credential scope, account boundary, or least-privilege model.
requires: bins: [fullrun] env: [FULLRUN_API_KEY] ... `fullrun campaigns:list` — All campaigns ... `fullrun run` — ... fixes the highest-priority issues automatically.
Use the most restricted key or account permissions available, verify which Google Ads account is connected, and avoid broad production access unless the user explicitly approves it.
Users must trust that the npm package they install is the intended Fullrun CLI before giving it an API key and ad-account authority.
The setup instructs users to install a global CLI package by name only. No pinned version, install spec, homepage, or reviewed package contents are provided in the artifact set.
npm install -g fullrun
Verify the npm package publisher, version, and documentation before installation; consider pinning a known-good version and installing in a controlled environment.