Skillv1.2.0

ClawScan security

Meta Business CLI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 15, 2026, 12:18 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and instructions are consistent with a CLI wrapper for Meta/Graph API usage, but it recommends building/installing code from an external GitHub repo and stores credentials locally — verify the source and be careful with secrets before installing.
Guidance: This skill appears to be a straightforward wrapper for a Meta Graph CLI. Before installing or running it: (1) verify the 'meta' CLI binary or the GitHub repo (adolago/meta-cli) is the official/trusted source you expect; avoid running arbitrary git clone/build commands from unknown repos. (2) Understand that credentials (app secret, access tokens) are stored locally at ~/.meta-cli/config.json — protect that file (restrict permissions) and prefer using short-lived tokens or system users where possible. (3) The CLI can send messages and upload local files — review and restrict any tokens you pass (use allowlist features for messaging). (4) If you want stronger assurance, inspect the upstream repository code or prefer an install path from an official release or verified package registry.

Review Dimensions

Purpose & Capability: okName/description (Meta Business CLI for WhatsApp/Instagram/Facebook/Messenger) aligns with the actual requirements and instructions: the skill expects a 'meta' CLI binary and documents commands for messaging, media, templates, analytics and webhooks.
Instruction Scope: okSKILL.md stays within the declared purpose: it shows CLI commands, OAuth flows, and config management. It instructs storing app credentials via the CLI (meta config set) and references the local config path (~/.meta-cli/config.json), which is expected for a CLI tool. It does not instruct reading unrelated system files or exfiltrating arbitrary data.
Install Mechanism: noteThe SKILL.md includes optional install commands: 'bun install -g meta-business-cli' and a git clone + bun build from https://github.com/adolago/meta-cli.git. Installing/building from an external GitHub repo and writing a binary to ~/.bun/bin is a normal install pattern for CLI tools but carries moderate risk if the source is untrusted — verify the upstream repo and its releases before running these commands.
Credentials: okThe skill declares no required environment variables and uses the CLI's own configuration and OAuth/token flows. The CLI stores app.id/app.secret and tokens in a local config file rather than requesting environment secrets from the skill registry — this is proportionate but means the local config file will contain sensitive credentials and should be protected.
Persistence & Privilege: okThe skill is not flagged as always:true and does not request elevated or cross-skill persistence. It suggests storing credentials in ~/.meta-cli/config.json (normal for a CLI) but does not attempt to alter other skills or system-wide settings.