ClawHub

Meta Ads Collector Adarsh

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is a coherent read-only Meta Ad Library collector, with expected Meta credential use and no evidence of destructive or hidden behavior.

This skill appears safe for its stated purpose, but only provide Meta credentials you are comfortable using for Ad Library access, and review any separate metaAdsService.ts implementation before connecting it to a live marketing audit pipeline.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI03: Identity and Privilege Abuse
Low
What this means

You may need to provide a Facebook/Meta access token or app credentials, which could affect your Meta app account and API quota if mishandled.

Why it was flagged

The skill expects Meta API credentials. This is appropriate for a Meta Ad Library integration, but users should notice that credentials may be needed even though the registry metadata lists none.

Skill content
- **Auth:** `META_ACCESS_TOKEN` environment variable ... - **Additional env vars:** `META_APP_ID`, `META_APP_SECRET`
Recommendation

Use a dedicated, least-privilege Meta app/token for this purpose, keep secrets out of logs and shared prompts, and update metadata to declare the required credential/environment variables.

#ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

The visible skill instructions are benign, but the actual API-calling code would determine how credentials, errors, pagination, and network requests are handled.

Why it was flagged

The supplied package is instruction-only and does not include the referenced service implementation. This is not evidence of unsafe behavior, but any external implementation used with the skill should be reviewed separately.

Skill content
The collector depends on `metaAdsService.ts` for the actual API communication.
Recommendation

Before wiring this into a pipeline, review the referenced implementation code and ensure it only calls Meta's intended endpoint and handles credentials safely.