Trust Assessment
google-ads received a trust score of 72/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Skill instructs agent to expose Google Ads API credentials.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Skill instructs agent to expose Google Ads API credentials The skill's 'API Mode' setup instructions include the command `cat ~/.google-ads.yaml` to 'Check config'. This file is explicitly stated to contain Google Ads API developer token and OAuth credentials. If an agent executes this command, it would directly expose sensitive API credentials, leading to credential harvesting and potential unauthorized access to the user's Google Ads account. Remove the instruction to `cat` the credentials file. Instead, instruct the agent to verify the *existence* of the file (e.g., using `ls`) or to use the `google-ads` SDK's `load_from_storage()` method to attempt loading without exposing the file content. If the agent needs to confirm *which* credentials are being used, it should be instructed to ask the user or to use a secure method provided by the SDK that doesn't print secrets. | LLM | SKILL.md:68 |
Scan History
Embed Code
[](https://skillshield.io/report/7908d71071dec421)
Powered by SkillShield