Meta Ad Creatives
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is coherent with its stated Meta Ads analytics purpose, but users should notice that it requires Meta credentials and may persist ad performance data.
This skill appears purpose-aligned for Meta Ads performance reporting. Before installing, use a limited Meta access token, verify the source and Python dependencies, and decide whether historical client/account data should be stored in Firestore or only locally in SQLite.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or using the skill may give it access to Meta Ads account metrics allowed by the supplied token.
The skill uses Meta/Facebook credentials from the environment to access ad account data. This is expected for the stated analytics purpose, but it is sensitive account authority.
access_token = os.getenv("FACEBOOK_ACCESS_TOKEN")
app_id = os.getenv("FACEBOOK_APP_ID")
app_secret = os.getenv("FACEBOOK_APP_SECRET")Use a least-privilege Meta token limited to the ad accounts and read/reporting permissions needed, and keep the app secret out of shared logs or prompts.
Ad performance history may be saved locally or in Firestore and reused for later reporting.
The skill discloses persistent storage of historical ad performance data, including a cloud storage option. This fits trend analysis, but storage location and retention matter for business/client data.
The skill stores historical data for trend analysis: - **Firestore** (default for cloud deployments) - **SQLite** (local fallback)
Confirm whether Firestore or SQLite will be used, who can access the stored data, and whether retention/deletion practices meet your organization’s requirements.
Users have less context about the publisher/source and may need to manually ensure the Python environment contains safe dependencies.
The artifact has limited provenance and no install specification, while it includes executable Python code. No malicious behavior is evidenced, but provenance and dependencies should be verified before use.
Source: unknown Homepage: none No install spec — this is an instruction-only skill. Code file presence: scripts/meta_ad_creatives.py
Review the included code and install only trusted versions of required Python packages before running the examples.