Is google-ads safe?
https://clawhub.ai/jdrhyne/google-ads
The google-ads skill is a functionally legitimate Google Ads management tool that presents moderate security concerns. Its core functionality requires reading OAuth credentials from ~/.google-ads.yaml and environment variables, which normalizes access to sensitive secrets within the agent context. The skill includes mutation operations (pause campaigns, modify budgets) that could cause financial damage if misused, and browser automation mode grants broad control over authenticated Google Ads sessions. Installation monitoring detected access to .env and .aws/credentials files, though no outbound network exfiltration was observed.
Category Scores
Findings (11)
HIGH Explicit credential file reading -25 ▶
The skill instructs the agent to run 'cat ~/.google-ads.yaml' which displays OAuth client_secret, refresh_token, and developer_token in plain text. These credentials provide persistent API access to the user's Google Ads account. While this is functionally required for API mode, it exposes high-value secrets to the agent context where they could be leaked.
HIGH Sensitive file access during installation -20 ▶
Filesystem monitoring detected reads of /home/oc-exec/.env, /home/oc-exec/.aws/credentials, .profile, and .bashrc during the skill installation process. While .aws/credentials access appears to be the platform's credential scanning, the .env file access is concerning as it may contain application secrets unrelated to Google Ads.
MEDIUM Credential access normalization via metadata -15 ▶
The skill's metadata declares 'config: [~/.google-ads.yaml]' as a requirement, which normalizes agent access to this credential file. Combined with explicit 'cat' instructions, this creates a pattern where the agent treats reading sensitive credential files as expected behavior.
MEDIUM Environment variable credential probing -10 ▶
The skill instructs checking for GOOGLE_ADS_DEVELOPER_TOKEN, GOOGLE_ADS_CLIENT_SECRET, GOOGLE_ADS_REFRESH_TOKEN environment variables, potentially exposing credentials that were set as environment variables for security isolation.
MEDIUM External package installation -15 ▶
The skill instructs running 'pip install google-ads' which downloads and executes a package from PyPI. While google-ads is a legitimate Google SDK, this pattern of instructing arbitrary pip installs could be exploited by a malicious skill to install a typosquatted or backdoored package.
MEDIUM Local server for OAuth token exchange -10 ▶
The OAuth setup script opens a local HTTP server on port 8080 to complete the OAuth flow. This creates a temporary attack surface and could be exploited in a multi-skill scenario.
MEDIUM Financial damage potential via mutation operations -25 ▶
The skill includes code to pause campaigns, pause keywords, and modify budgets. A compromised or malicious skill could instruct the agent to pause all campaigns (stopping ad delivery) or dramatically increase budgets, causing direct financial harm to the advertiser.
MEDIUM Authenticated browser session control -20 ▶
Browser automation mode gives the agent full control over an authenticated Google Ads UI session. This includes the ability to modify billing settings, add/remove users, change campaigns, and access financial data beyond what the API mode exposes.
MEDIUM Broad file access during installation -25 ▶
Installation process accessed files beyond what should be needed for a skill install: .env, .aws/credentials, .profile, .bashrc, and multiple reads of openclaw config files. While some may be platform behavior, the breadth of file access is notable.
LOW Shell commands for environment probing -10 ▶
The skill includes bash commands to probe the environment: 'ls ~/.google-ads.yaml', 'python -c' import check. These are low-risk individually but establish a pattern of shell execution.
INFO Canary files intact 0 ▶
All honeypot files (fake .env, SSH keys, AWS credentials) remained unmodified during the audit. No evidence of automated credential harvesting.