Is google-ads-api safe?

https://clawhub.ai/byungkyu/google-ads-api

72
CAUTION

This is a documentation-only skill that provides Google Ads API integration through a third-party proxy service (Maton). While it contains no executable code, git hooks, or direct exfiltration mechanisms, the core design routes all Google Ads API traffic and OAuth credentials through gateway.maton.ai — a significant trust dependency. The skill also cross-references another skill from the same author, instructs the agent to echo API keys for troubleshooting, and the install-time filesystem monitoring shows the agent runtime (not the skill) reading sensitive files like .env and .aws/credentials.

Category Scores

Prompt Injection 62/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (9)

MEDIUM All traffic proxied through third-party gateway -25

Every API call routes through gateway.maton.ai which proxies to googleads.googleapis.com and injects OAuth tokens. Users must trust Maton as an intermediary with full access to their Google Ads data. The gateway sees all queries, responses, and manages OAuth credentials on behalf of the user.

MEDIUM Cross-skill reference encourages installing additional skill -15

The skill description explicitly directs users to install another skill ('api-gateway') from the same author for 'other third party apps'. This creates a trust chain where accepting one skill leads to installing more, expanding the attack surface.

MEDIUM Troubleshooting instructs echoing API key to stdout -15

The troubleshooting section explicitly tells the agent to run 'echo $MATON_API_KEY' which would expose the API key in terminal output, logs, or any monitoring system capturing stdout.

LOW OAuth session tokens exposed in connection URLs -5

The connection creation flow returns URLs containing session tokens (connect.maton.ai/?session_token=...) which, if logged or displayed, could allow session hijacking.

LOW IMPORTANT directives influence agent shell behavior -8

Two IMPORTANT notes in the Notes section instruct the agent to modify how it constructs shell commands (using curl -g, avoiding piping with env vars). While seemingly helpful, these subtly control agent behavior and could mask issues with variable expansion that would otherwise be caught.

INFO Skill requests specific environment variable access -5

The skill declares a requirement for MATON_API_KEY environment variable, which is appropriate for its functionality but grants the agent access to read this secret.

INFO Agent runtime reads sensitive files during install -10

Filesystem monitoring shows reads of .env, .aws/credentials, .profile, and .bashrc during installation. These appear to be from the OpenClaw agent runtime (not the skill itself) based on the pattern of openclaw.json reads interleaved with these accesses.

INFO Jiti cache files created in /tmp during install -5

Multiple .cjs files were created in /tmp/jiti/ during installation. These are JIT-compiled JavaScript modules from the agent runtime, not from the skill itself.

INFO No executable code or install hooks present -10

The skill contains only markdown (SKILL.md), metadata (_meta.json), license (LICENSE.txt), and registry metadata (.clawhub/origin.json). No package.json scripts, git hooks, or executable files.