Is edyyy62/adcp-advertising safe?

https://github.com/openclaw/skills/tree/main/skills/edyyy62/adcp-advertising

74
CAUTION

The adcp-advertising skill is a documentation-only integration that contains no malicious executable code and passes all install-time behavioral checks. However, its core functionality requires transmitting user business data (campaign briefs, brand strategies, budgets) to an external third-party MCP server operated by the AdCP project, using a publicly known shared auth token that exposes all submitted data to any knowledge holder. The skill also enables autonomous financial commitments and instructs agents to fetch external URLs for brand context, creating indirect prompt injection and financial risk vectors.

Category Scores

Prompt Injection 72/100 · 30%
Data Exfiltration 52/100 · 25%
Code Execution 93/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (9)

HIGH All campaign data routed to external third-party MCP server -25

The skill's core workflow requires the agent to connect to https://test-agent.adcontextprotocol.org/mcp and transmit all advertising campaign details, brand manifests, audience targeting parameters, and budget figures. This server is operated by the AdCP project, not the skill author, and all data sent is accessible to anyone holding the publicly documented shared auth token.

HIGH Skill enables autonomous financial commitments without confirmation guardrails -30

The create_media_buy task can commit real advertising budgets at the agent's discretion based on natural language requests. The skill's example workflows show the agent creating campaigns immediately upon user request with no built-in approval step. A misunderstood prompt could result in unexpected financial commitments.

MEDIUM brand_manifest URL fetching creates indirect prompt injection surface -15

The skill recommends passing user-supplied URLs as brand_manifest.url values, which instructs the agent to fetch external URLs and incorporate their content. If an adversarial URL hosts a document with embedded LLM instructions, this could manipulate the agent's subsequent behavior.

MEDIUM External llms.txt endpoint instructs agents to fetch AI-targeted content -8

The skill explicitly directs agents to load https://docs.adcontextprotocol.org/llms.txt — a document specifically formatted for LLM consumption. This file is controlled by the AdCP project and could be updated at any time to include instructions that modify agent behavior beyond the skill's stated purpose.

MEDIUM Shared public auth token exposes all submitted campaign data -13

A single hardcoded authentication token is distributed to all users of this skill. Any third party who knows this token (it is published in the official AdCP documentation and in this skill) can query the test server to access campaigns, creatives, and performance data submitted by all users.

MEDIUM Community repository impersonates official AdCP branding -20

The skill is published by edyyy62 with repository github.com/edyyy62/openclaw-adcp, but extensively cross-links to the official AdCP organization at github.com/adcontextprotocol/adcp. Users cannot easily distinguish between community and official infrastructure, and the test agent URL (adcontextprotocol.org) is operated by the official AdCP project rather than the skill author.

LOW No executable code found — documentation-only skill -7

All skill files are markdown documentation and a JSON metadata file. No package.json with install scripts, no git hooks, no compiled code, no shell scripts, and no symlinks were found. The JavaScript snippets in the documentation are illustrative examples, not executed code.

LOW Install-time behavior clean — only expected GitHub connection -10

The git clone operation connected only to GitHub (140.82.121.4:443) and completed normally. No unexpected processes were spawned, no files were written outside the designated directory, and no connections were made to advertising infrastructure during installation.

INFO Canary file accesses attributable to audit framework, not skill 0

Canary files (.env, .ssh/id_rsa, .aws/credentials) were opened with CLOSE_NOWRITE during monitoring. Both access bursts (pre-clone at timestamp 1771933388 and post-install at 1771933405) align with Oathe audit framework setup and integrity verification operations, not with any skill code execution.