Skill Amazon Ads Optimizer
Security checks across malware telemetry and agentic risk
Overview
The skill appears to do what it says—read Amazon Ads profiles and campaigns using your Amazon Ads credentials—but you should protect those credentials and choose output files carefully.
Install only if you intend to let OpenClaw access your Amazon Ads account data. Keep the amazon-ads-api.json file private, verify that commands only use the intended account/profile, and choose export paths carefully to avoid overwriting files or exposing campaign data.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent run with access to the credentials file can retrieve Amazon Ads profile and campaign information for that account.
The skill uses a local Amazon Ads credentials file containing a refresh token and client secret to obtain an access token. This is expected for the advertised integration, but it grants account access.
refresh_token: creds.refreshToken, client_id: creds.lwaClientId, client_secret: creds.lwaClientSecret,
Store the credentials file securely, use the narrowest Amazon Ads permissions available, avoid sharing exported outputs, and rotate the refresh token if you suspect exposure.
If an agent or user supplies the wrong output path, an existing writable file could be overwritten with campaign data.
The CLI can write campaign export data to any path supplied with --out. This is documented and user-directed, but the path is not restricted or overwrite-protected.
if (args.out) {
fs.writeFileSync(args.out, JSON.stringify({ fetchedAt: new Date().toISOString(), totalResults: data.totalResults, campaigns }, null, 2));Use an explicit safe output path, such as a temporary or project-local filename, and review commands before allowing the agent to write files.