Ad Campaign Optimizer
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: ad-campaign-optimizer Version: 1.0.52 The skill bundle contains metadata and documentation for an 'AI Ad Campaign Optimizer' designed for multi-platform advertising management. While the SKILL.md file references several Python scripts (e.g., create_ad.py, ab_test.py) that are not present in the provided files, the documentation itself is purely descriptive and lacks any indicators of malicious intent, such as data exfiltration, unauthorized network calls, or prompt injection attacks. The discrepancy between version numbers in skill.json and _meta.json appears to be a minor administrative inconsistency.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If connected to real ad accounts, the agent could create or modify campaigns that spend money or publish ads without clearly documented safeguards.
The skill describes automatically creating paid ads and gives a command with a concrete budget, but the artifacts do not include approval requirements, budget caps, account limits, or rollback guidance.
- 自动创建广告(多平台:百度/抖音/微信/小红书...) ... python create_ad.py --platform "抖音" --product 123 --budget 1000
Require explicit user confirmation for every campaign creation, budget change, audience change, and ad launch; add dry-run mode, budget ceilings, platform/account allowlists, and rollback instructions.
Users may be asked later to provide broad platform access without a clear declaration of what credentials are needed or how they are scoped.
The metadata declares no credential requirements, while the advertised multi-platform ad-management actions would normally require delegated access to advertising accounts.
Primary credential: none; Required env vars: none; ... 自动创建广告(多平台:百度/抖音/微信/小红书...)
Declare each required platform credential, use least-privilege scopes, separate read-only analytics from write/spend permissions, and document exactly what account actions the skill may perform.
A user would need to obtain or create unreviewed scripts before the advertised workflow can run, which is risky for account-changing advertising operations.
The skill tells users to run helper scripts, but the provided manifest contains only SKILL.md and skill.json with no install spec or code files, so the implementation and provenance of those scripts are not reviewable.
python create_ad.py --platform "抖音" --product 123 --budget 1000 python ab_test.py --ad_id 456 --variants 5 python optimize.py --ad_id 456 --target "降低CPC"
Include the referenced scripts in the package or remove the commands; pin and document all dependencies and ensure high-impact scripts are auditable before use.