Meta Ads Collector Adarsh
v1.0.0Collects active Meta ads for a brand, reporting total ads, formats, ad types, longest-running ad duration, and estimated spend if available.
⭐ 0· 222·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name and description match the implementation notes: the skill queries the Meta Ad Library API and computes ad metrics. Requesting a Meta access token and app credentials is appropriate for that purpose. However, the registry metadata lists no required environment variables or primary credential while the SKILL.md explicitly requires META_ACCESS_TOKEN, META_APP_ID, and META_APP_SECRET — an inconsistency between declared requirements and the runtime instructions.
Instruction Scope
The runtime instructions are focused on the Ad Library API and metric calculation (formats, counts, durations, optional spend). They reference process.env variables and other project files (e.g., metaAdsService.ts, src/types/audit.types.ts) and instruct logging errors with Winston. The instructions do not ask for unrelated system files or other service credentials, but they do require reading secret env vars (Meta credentials). Because the registry omitted those env requirements, the instructions grant the agent access to secrets that were not declared to users/installers — this is a scope/visibility concern.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes install-time risk (nothing is downloaded or written by an installer).
Credentials
The env vars named in SKILL.md (META_ACCESS_TOKEN, META_APP_ID, META_APP_SECRET) are appropriate and proportionate for querying Meta's Ad Library. However, the skill registry metadata claims 'Required env vars: none' and 'Primary credential: none'. The absence of declared env requirements in the registry is misleading and increases risk because users may not realize they must supply sensitive credentials. No unrelated secrets are requested, but the mismatch is a serious transparency issue.
Persistence & Privilege
The skill does not request always: true, does not include an install script, and does not appear to alter other skills or system-wide settings. It relies on runtime environment variables only and does not request elevated persistence.
What to consider before installing
Before installing or enabling this skill: 1) Do not provide META_ACCESS_TOKEN, META_APP_ID, or META_APP_SECRET until you confirm the skill source and how secrets are handled — the registry metadata did not declare any required env vars even though the SKILL.md requires them. 2) Prefer creating an app/credentials with minimal permissions and short-lived tokens (or use a dedicated read-only token) and rotate them after testing. 3) Ask the publisher to update the registry metadata to list the exact environment variables and explain how tokens are used and stored/logged. 4) Verify where logs and any returned data are sent (the SKILL.md references Winston logging and external APIs); ensure logs do not leak tokens or PII. 5) If you cannot verify the source, test in an isolated environment and avoid providing production credentials. If the developer cannot explain the metadata mismatch, treat the skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk97bkwvjswxbm5g2hh1y3dx54d82b182
License
MIT-0
Free to use, modify, and redistribute. No attribution required.