ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

metacli

v1.0.0

Meta Marketing CLI for authentication lifecycle, Graph API requests, campaign/ad/adset writes, insights reporting, and Instagram publishing. Use when handlin...

0· 389·0 current·0 all-time
byBilal Bayram@bilalbayram
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description describe a Meta Marketing CLI and the instructions and install spec all reference the same 'meta' CLI (go module github.com/bilalbayram/metacli/cmd/meta). Requiring the 'meta' binary and offering a go install for that module is coherent with the stated purpose.
!
Instruction Scope
SKILL.md directs the AI to perform OAuth setup on the AI host (listen on 127.0.0.1 and accept the redirect), run authentication flows, and handle APP_ID/APP_SECRET. It also recommends using cloudflared to expose an HTTPS redirect URI. These are functional for OAuth but expand the agent's runtime responsibilities (opening ports, receiving external callbacks). The instructions also tell humans to open auth URLs in their browsers and rely on the AI host to finish token exchange. The doc warns to redact secrets, but it still instructs passing APP_SECRET and tokens via CLI parameters (or environment), which increases risk of accidental leakage in process args or logs.
Install Mechanism
Install uses go install of a GitHub module (github.com/bilalbayram/metacli/cmd/meta@latest) which is common and traceable. This will build a binary named 'meta' on the host. Using a Go module from GitHub is moderate-risk but expected for CLI tools; there's no opaque download or archive extract. Verify the repository and its code before installing.
!
Credentials
The SKILL.md explicitly requires APP_ID, APP_SECRET, and REDIRECT_URI for the auth bootstrap, but the registry metadata lists no required env vars. The doc also references storing schemas under ~/.meta/schema-packs and suggests using cloudflared (an extra binary) — neither are declared in the skill requirements. Passing APP_SECRET on the command line or storing it on the AI host is sensitive and not justified in the metadata. This mismatch between declared requirements and actual instructions reduces transparency and increases risk of secret exposure.
Persistence & Privilege
The skill does not request always:true and does not ask to modify other skills or system-wide configs. It requires running a binary on demand and performing OAuth flows on the agent host; those are operational privileges but not an elevated persistent platform privilege.
What to consider before installing
This skill appears to be the Meta Marketing CLI it claims to be, but pay attention to a few risks before installing or using it: (1) The runtime instructions require APP_ID and APP_SECRET even though the metadata declares no required env vars — do not pass your App Secret or long-lived tokens without understanding where they will be stored and who/what can read them. Prefer short-lived tokens or manual exchange if possible. (2) The doc recommends exposing the AI host to receive OAuth callbacks (cloudflared) and binding a listener — verify you're comfortable running an endpoint that accepts web redirects. (3) The install builds a binary from github.com/bilalbayram/metacli; review the repo and lock to a specific commit or release rather than @latest. (4) Consider running the CLI in a sandboxed environment or ephemeral container, and confirm where tokens and schema files (e.g., ~/.meta/) are written. (5) Ask the skill author or maintainer to: declare APP_ID/APP_SECRET/REDIRECT_URI in requires.env or explicitly state how secrets are provided and stored, and list cloudflared (or alternate tunneling tools) in required binaries. If you cannot verify these details, treat the skill with caution and avoid supplying high-privilege app secrets.

Like a lobster shell, security has layers — review code before you run it.

latestvk975e23136dtc5fvkqnzdcnsf981xrsb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📣 Clawdis
Binsmeta

Install

Install meta (go)
Bins: meta
go install github.com/bilalbayram/metacli/cmd/meta@latest

Comments