Meta Ads MCP
AdvisoryAudited by Static analysis on May 5, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent with the Facebook Ads MCP connected could create ad campaigns and, after approval, activate spend on a real Meta ad account.
The skill directs use of MCP tools that can create and activate paid ad entities. The paused-by-default and approval-before-activation rules make this purpose-aligned, but it is still high-impact account mutation.
Create everything PAUSED — campaign → ad set → ad... Activate only after approval — flip status to ACTIVE only after the full review is signed off.
Grant access only when you intend real ad operations, verify the account/page/pixel, set account spending limits, and require explicit approval for activation and budget changes.
If the connected MCP account has broad permissions, the agent may be able to see or act across multiple business ad assets.
The guide expects delegated access to Meta Business assets, including ad accounts, pages, catalogs, and pixels/datasets. This is expected for the purpose but should be least-privileged.
Identify the correct Ad Account ID (`act_XXXXXXXXXX`) before executing any action. Use `ads_get_ad_accounts` to list accessible accounts.
Use a Meta Business account with the minimum required permissions, avoid personal ad accounts, and confirm the exact ad account before allowing changes.
Customer activity and identifiers such as email or phone may be shared with Meta for matching, tracking, and retargeting.
The tracking guidance involves sending customer events and identifiers to Meta through Pixel/CAPI. That is aligned with ad tracking but is sensitive and requires clear privacy controls.
Server Side: User action → Your server → CAPI → Meta receives event ... improve by sending email/phone in event parameters
Ensure user consent, privacy-policy coverage, hashing/minimization where applicable, and legal/compliance review before enabling Pixel/CAPI or customer-list workflows.
Campaign documentation could expose business identifiers, budgets, performance history, and decision logs to anyone with access to the Drive folder.
The guide instructs persistent external documentation of campaign details, account IDs, pixel IDs, performance, and decisions. This is useful for operations but creates shared stored context.
Store in the site's designated Drive folder. Document should include: ... Ad Account ID ... Pixel ID
Store documentation in access-controlled folders, avoid secrets, review sharing settings, and treat stored campaign notes as operational records that future agents should verify before relying on.