High-risk tools in Google Ads
7 of the 22 tools in Google Ads are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at high risk
-
gads_ad_group_performanceExecuteAd group performance with campaign context. Optional campaign_id filter. Default last 28 days, enabled ad groups.
-
gads_campaign_performanceExecuteCampaign-level performance: impressions, clicks, CTR, avg CPC, cost, conversions, conv value, CPA, ROAS. Defaults to last 28 days, enabled campaigns, sorted by cost desc.
-
gads_device_performanceExecuteClicks, cost, CTR, conversions, and CPA split by MOBILE / DESKTOP / TABLET per campaign. Default last 28 days.
-
gads_geo_performanceExecutePerformance broken down by geographic location (country, region, city). Surfaces top and bottom geo segments by cost and conversions.
-
gads_keyword_performanceExecuteKeyword-level performance with match type, quality score, clicks, cost, conversions. Filter by campaign_id or ad_group_id. Default last 28 days, enabled keywords.
-
gads_rsa_asset_performanceExecuteAsset-level performance labels (BEST / GOOD / LOW / PENDING / LEARNING) for RSA headlines and descriptions. Identifies which assets to keep, test, or replace.
-
gads_run_gaqlExecuteEscape hatch: run any raw GAQL query against Google Ads. Use when preset tools don't cover the report shape you need. Docs: developers.google.com/google-ads/api/docs/query/overview
Attacks that target this class
High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.