Ads Optimizer Skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a straightforward Amazon Ads CLI skill, but it requires sensitive Amazon Ads OAuth credentials and can print or save advertiser campaign data.
Install only if you are comfortable giving this skill access to Amazon Ads credentials. Keep the amazon-ads-api.json file private, use least-privileged credentials where possible, review any --out file path before running, and treat the current code as a campaign/profile reporting tool rather than a full optimizer.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent process that can read this credentials file may be able to access the associated Amazon Ads account according to the token's permissions.
The skill requires Amazon Ads OAuth client credentials and a refresh token in a local file. That is expected for Amazon Ads access, but these credentials can be powerful and are not declared in the registry metadata.
"lwaClientSecret": "YOUR_CLIENT_SECRET", "refreshToken": "Atzr|YOUR_REFRESH_TOKEN" ... Save as `amazon-ads-api.json`. Set `AMAZON_ADS_PATH` env var
Use the least-privileged Amazon Ads app/token available, store the file outside shared folders, restrict file permissions, and rotate the refresh token if it may have been exposed.
Private advertiser campaign and budget information may appear in the agent transcript or be stored in a local output file.
The script prints campaign names, states, targeting type, and budgets, and can save the full campaign list to a local file.
console.log(` [${c.state}] ${c.name} — ${c.budget?.budget}/day (${c.targetingType})`); ... fs.writeFileSync(args.out, JSON.stringify({ fetchedAt: new Date().toISOString(), totalResults: data.totalResults, campaigns }, null, 2));Run it only in trusted sessions, avoid sharing transcripts containing campaign data, and save output files only to intended private locations.
If an agent or user supplies the wrong path, the report could overwrite an unintended file or place campaign data somewhere less private.
The optional output path is taken directly from the command line and written without path validation.
else if (a[i] === '--out') out.out = a[++i]; ... fs.writeFileSync(args.out, JSON.stringify(...));
Use explicit safe output paths, avoid protected or shared directories, and review any agent-proposed --out path before running.
Users have less external provenance information when deciding whether to trust a skill that handles advertiser credentials.
The skill's bundled code is visible and has no remote install step, but there is no declared upstream source or homepage to help verify provenance.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Review the included script before use, prefer installing from a known repository when available, and re-check code on updates.
A user might grant broader Amazon Ads credentials expecting optimization features that are not actually implemented in the provided code.
The README claims optimization and bid/keyword management, while the supplied SKILL.md and script only document listing profiles, listing campaigns, summaries, and optional file output.
manage campaigns, keywords, bids, and run daily optimization
Treat this version as a read/list/reporting tool unless you review additional code that implements mutations or optimization.