Hopkin – Paid Ads: Meta, TikTok, Google, LinkedIn, Reddit
v0.1.0Query ad platform data (Meta, Google, LinkedIn, Reddit) using the Hopkin CLI. Use this skill when the user asks about ad accounts, campaigns, ad performance,...
⭐ 0· 86·0 current·0 all-time
byNima Gardideh@nemo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill's name and description (querying ad platform data via the Hopkin CLI) match the SKILL.md instructions which show hopkin commands for Meta, Google, LinkedIn, and Reddit. One small mismatch: the top-level name/description mention TikTok, but the SKILL.md never documents hopkin 'tiktok' commands—this is likely an oversight in docs, not a functional red flag.
Instruction Scope
The instructions stay on-topic: install the hopkin CLI, check auth, run hopkin <platform> <resource> [verb] [flags], and prefer --json for parsing. The SKILL.md explicitly limits use to read-only queries and tells the agent to ask the user for an API key if not authenticated. It does not instruct the agent to read unrelated files, environment variables, or exfiltrate data to unexpected endpoints.
Install Mechanism
This is an instruction-only skill (no install spec bundled). The doc tells users/agents to install @hopkin/cli globally via npm. That is a normal, expected install step for a CLI but is executed outside the packaged skill. You may want to verify the npm package and publisher before installing and prefer running installations manually (not pasting install commands into a privileged agent session).
Credentials
The skill does not require or declare environment variables or unrelated credentials. It does instruct the agent to ask the user for the Hopkin API key and run 'hopkin auth set-key <API_KEY>' — this is proportional and necessary for the stated read-only queries. There are no requests for unrelated secrets or cloud credentials.
Persistence & Privilege
No special persistence is requested: always is false, and the skill does not ask to modify other skills or system-wide settings. The ability to authenticate and store a hopkin API key (via the hopkin CLI) is normal for a CLI-based integration and is limited to the Hopkin tool.
Assessment
This skill appears to do what it says: it guides an agent to install and use the Hopkin CLI to read advertising data. Before installing or providing keys: (1) verify the @hopkin/cli npm package and its publisher (npmjs.org) and prefer manual installation in a controlled shell, (2) do not paste API keys directly into untrusted chats—use the hopkin CLI's auth command or a secure secret manager, (3) note the SKILL.md omits TikTok examples despite the name — confirm whether Hopkin supports TikTok if you need it, and (4) review the Hopkin account's API key permissions and rotate/revoke keys if compromised. If you want the agent to run installs or receive API keys, only proceed if you trust the agent's environment and policies for handling secrets.Like a lobster shell, security has layers — review code before you run it.
latestvk97f1tz5jgxcn85p4j1m78s9p583b0pz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.