ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ZuckerBot

v1.0.0

Use this skill whenever the user or agent needs to interact with Facebook or Instagram ads via Meta's API. Trigger this skill when: the user wants to launch,...

0· 365·0 current·0 all-time
by@crumbedsausage

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for crumbedsausage/zuckerbotmcp.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "ZuckerBot" (crumbedsausage/zuckerbotmcp) from ClawHub.
Skill page: https://clawhub.ai/crumbedsausage/zuckerbotmcp
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install zuckerbotmcp

ClawHub CLI

Package manager switcher

npx clawhub@latest install zuckerbotmcp
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to operate against the Meta Ads API via a 'ZuckerBot MCP server' (npm: zuckerbot-mcp@0.2.7) and via OAuth on zuckerbot.ai, which is coherent with ad-management functionality. However, the registry metadata and SKILL.md do not declare any required installs, dependencies, or environment variables for that npm package or a connector. There is no homepage or source URL to verify the external service (zuckerbot.ai) or the npm package. The presence of a specific npm package in compatibility.tools without an install mechanism is an inconsistency.
!
Instruction Scope
The SKILL.md restricts actions to campaign creation, management, research, and conversion syncing — these are in-scope for an ad-management skill. However, it instructs the agent to prompt users to visit zuckerbot.ai, obtain an API key, and says 'ZuckerBot stores credentials, so this is a one-time step per session' without specifying where or how credentials are stored (agent memory, platform vault, remote service). That ambiguity increases risk because it could lead to credentials being retained or transmitted to an unknown third party.
Install Mechanism
This is an instruction-only skill with no install spec or code files (lower surface risk). Still, it's inconsistent that compatibility.tools lists a specific npm package (zuckerbot-mcp@0.2.7) but there are no install instructions or declared runtime requirements. If the skill relies on that package/server, the registry should declare how that integration is provided; absence of that information is a gap.
Credentials
The skill does not request any environment variables or platform secrets in metadata, and instead expects the user to obtain an API key via zuckerbot.ai OAuth and provide it at runtime. Requesting a service-specific API key is proportionate to the task. The concern is the unspecified storage/handling of that API key and lack of clarity about token scope/lifetime (short-lived vs long-lived).
!
Persistence & Privilege
The skill is not marked always:true, but the SKILL.md instructs: 'Even if the user doesn't say "ZuckerBot" — if ads on Meta are involved, use this skill.' That gives the agent broad discretionary trigger conditions. Combined with the ability to accept and 'store' API keys for future use, this creates a larger blast radius if the integration or storage is opaque. The skill does not indicate it will modify other skills or system config.
What to consider before installing
This skill could be legitimate, but there are important unknowns and inconsistencies you should resolve before installing or providing keys: 1) Verify the external service and developer: find and inspect zuckerbot.ai and the npm package (zuckerbot-mcp@0.2.7). Ensure the domain, privacy policy, and developer identity are trustworthy. 2) Ask where credentials are stored and who can access them (local agent-only, platform vault, or ZuckerBot servers). Prefer short-lived OAuth tokens or scoped tokens you can revoke. 3) Request an explicit install/connection flow or a published connector rather than implicit npm references in SKILL.md. 4) Limit autonomous invocation if you want control: do not allow the agent to call the skill automatically for every Meta-ads mention until you trust the integration. 5) If you must test, use a throwaway Meta account and tightly scoped test API key you can revoke. If the provider cannot answer the storage and install questions, treat the skill as risky and avoid providing production credentials.

Like a lobster shell, security has layers — review code before you run it.

adsvk9760en0xzkqpjsx4r58v9eg5x829m09facebookvk9760en0xzkqpjsx4r58v9eg5x829m09instagramvk9760en0xzkqpjsx4r58v9eg5x829m09latestvk9760en0xzkqpjsx4r58v9eg5x829m09metavk9760en0xzkqpjsx4r58v9eg5x829m09
365downloads
0stars
1versions
Updated 16h ago
v1.0.0
MIT-0
@crumbedsausage
adsfacebookinstagramlatestmeta
Download

ZuckerBot Skill

ZuckerBot gives AI agents the ability to create, launch, monitor, and manage Facebook and Instagram ad campaigns via the Meta Ads API. All tools are available via the ZuckerBot MCP server.

Authentication

Before any tool can be called, the user must:

  1. Connect their Facebook account at zuckerbot.ai (OAuth flow)
  2. Generate an API key from the developer page
  3. Provide the API key — ZuckerBot stores credentials, so this is a one-time step per session

If the user hasn't authenticated yet, prompt them to visit zuckerbot.ai before proceeding.

Tools Reference

zuckerbot_preview_campaign

Generate a campaign preview and strategy from a business URL — before spending anything.

When to use: User wants to explore what a campaign might look like, or you need to research the business before creating a campaign.

Key inputs:

  • url — the business or landing page URL
  • api_key — ZuckerBot API key

Output: Campaign strategy, suggested targeting, budget recommendations, ad creative concepts.

zuckerbot_create_campaign

Create a full campaign with strategy, targeting, budget, and ad creative recommendations.

When to use: User wants to build a campaign ready for launch. Use after preview if the user wants to iterate, or directly if they have clear goals.

Key inputs:

  • business_url or business description
  • objective — one of: traffic, leads, conversions, awareness (default: traffic)
  • budget_daily — daily budget in USD
  • api_key

Output: A structured campaign object ready to pass to launch_campaign.

zuckerbot_generate_ad_creative

Generate AI-powered ad creative images for Facebook/Instagram.

When to use: User wants visual assets for their campaign, or when launching a campaign that needs imagery.

Key inputs:

  • Campaign context / description
  • api_key

Output: Generated image(s) suitable for Meta ad placements.

zuckerbot_launch_campaign

Launch a single campaign variant on Meta (Facebook/Instagram).

When to use: User has a campaign ready and wants to go live with one variant.

Key inputs:

  • Campaign object (from create_campaign or user-provided)
  • api_key

Output: Campaign ID, live status, confirmation summary.

zuckerbot_launch_all_variants (A/B Testing)

Launch multiple ad variants simultaneously for A/B testing.

When to use: User wants to test multiple creatives, headlines, or audiences against each other. Preferred over single launch when optimisation is the goal.

Key inputs:

  • Array of campaign variant objects
  • api_key

Output: Array of campaign IDs and launch confirmations per variant.

zuckerbot_get_performance

Fetch real-time performance metrics for a campaign.

When to use: User asks how a campaign is performing, wants to see results, or you need data to make optimisation recommendations.

Key inputs:

  • campaign_id — from launch confirmation
  • api_key
  • date_preset — defaults to maximum (all-time); supports standard Meta date presets

Output: Impressions, clicks, CTR, spend, CPM, CPC, conversions (if tracked), ROAS.

zuckerbot_pause_campaign

Pause or resume a running campaign.

When to use: User wants to stop spending on a campaign temporarily, or resume a paused one.

Key inputs:

  • campaign_id
  • actionpause or resume
  • api_key

Output: Updated campaign status confirmation.

zuckerbot_research_competitors

Analyse competitor ads for a given business category and location.

When to use: User wants to understand the competitive landscape before launching, or wants creative/targeting inspiration.

Key inputs:

  • Business category
  • Location
  • api_key

Output: Competitor ad analysis, positioning insights, creative patterns.

zuckerbot_research_market

Get market intelligence for an industry and location.

When to use: User wants audience size estimates, market sizing, or industry benchmarks before committing budget.

Key inputs:

  • Industry / niche
  • Location
  • api_key

Output: Market size, audience estimates, benchmark CPMs and CTRs.

zuckerbot_research_reviews

Get review intelligence for a business.

When to use: User wants to understand customer sentiment, surface proof points for ad copy, or identify pain points competitors are missing.

Key inputs:

  • Business name or URL
  • api_key

Output: Review themes, sentiment summary, standout quotes usable in ad copy.

zuckerbot_sync_conversion

Send conversion feedback to Meta's algorithm to improve targeting.

When to use: User has confirmed conversions (purchases, leads, sign-ups) and wants to feed that signal back to Meta for optimisation. Use after campaigns have been running and have conversion data.

Key inputs:

  • Conversion event data
  • campaign_id
  • api_key

Output: Confirmation that the conversion signal was sent to Meta.

Recommended Workflows

Launch a new campaign from scratch

  1. research_market → understand audience size and benchmarks
  2. research_competitors → analyse the landscape
  3. preview_campaign → generate strategy from URL
  4. create_campaign → build the campaign object
  5. generate_ad_creative → create visuals
  6. launch_all_variants → go live with A/B test variants
  7. get_performance → monitor results

Quick launch (user has clear brief)

  1. create_campaign → build campaign
  2. launch_campaign → go live
  3. get_performance → check results

Performance check

  1. get_performance with campaign_id
  2. Summarise metrics, flag anything underperforming
  3. Recommend pause_campaign or budget adjustment if needed

Notes

  • Objective options: traffic (default), leads, conversions, awareness
  • A/B testing: Always prefer launch_all_variants over multiple single launches — it's cleaner and Meta treats the variants as a proper split test
  • Meta pixel: If the user has a pixel installed (e.g. ID: 1511887479858007), mention that conversion tracking is available and suggest sync_conversion after campaign results come in
  • Credentials: ZuckerBot uses stored credentials — once the user authenticates, the API key handles all subsequent calls without re-auth

Comments

Loading comments...