ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Meta Ads Api

v1.0.0

Manage Meta ad campaigns by reading, creating, updating campaigns, ad sets, ads, creatives, and retrieving insights via the Marketing API.

0· 64·0 current·0 all-time
byOtman Heddouch@otman-ai

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for otman-ai/metaads.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Meta Ads Api" (otman-ai/metaads) from ClawHub.
Skill page: https://clawhub.ai/otman-ai/metaads
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install metaads

ClawHub CLI

Package manager switcher

npx clawhub@latest install metaads
Security Scan
Capability signals
Requires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The human-readable description and SKILL.md both describe a Meta Marketing API integration (reading/creating campaigns, insights) which legitimately requires an access_token and ad_account_id. However, the registry metadata declares no required environment variables or primary credential. That discrepancy (instructions require credentials but metadata lists none) is an incoherence that should be resolved.
!
Instruction Scope
SKILL.md gives explicit runtime steps that include creating/updating campaigns, paging through results, caching campaign lists, logging all API responses, and recommending long-lived/system user tokens. 'Log all API responses' and 'cache campaign lists' imply writing or persisting potentially sensitive API responses or tokens. The instructions also say 'Never expose access tokens' but do not specify how logs/caches are sanitized, or where/how persistent storage is used. These gaps expand scope beyond a minimal API client and risk accidental credential exposure.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so nothing is written to disk by an installer. That is the lowest-risk install mechanism. However, the runtime instructions still imply persistence (caching/logging), which is not described in the metadata.
!
Credentials
SKILL.md explicitly requires 'access_token' and 'ad_account_id' and lists permissions (ads_read, ads_management). The registry claims no required environment variables or primary credential. Requesting access tokens and recommending long-lived system user tokens are proportionate to the stated functionality, but the metadata omission is problematic and the recommendation of long-lived/system tokens increases blast radius if mishandled.
!
Persistence & Privilege
The skill is not flagged always:true and is user-invocable (defaults). Still, the instructions call for caching and logging of API responses without specifying storage location, retention, or sanitization. That implies persistence and potential exposure of sensitive data despite no declared config paths. The lack of clarity about where data will be stored or how it will be protected is a concern.
What to consider before installing
Do not install or enable this skill until the publisher corrects the metadata and clarifies storage/secret handling. Specific actions to request or verify before use: - Metadata fixes: require.env / primaryEnv should list the access token and ad_account_id (or explain how the token is provided). A trusted publisher should declare required credentials. - Least privilege: only grant the minimal scopes needed (prefer ads_read for read-only use). Avoid long-lived or Business Manager system-user tokens unless absolutely necessary and you trust the publisher. - Tokens and logs: insist logs and caches never contain raw tokens or PII; ask how caching is implemented and where data is stored (encrypted at rest, retention policy). If you must test, use a dedicated test ad account with limited budget and data. - Autonomy controls: consider disabling autonomous invocation or restricting the skill to user-invoked operation until you confirm behavior, since the skill can perform write operations (create/update campaigns). - Verification: ask for a homepage/source or publisher identity and request an explicit privacy/security statement. If the publisher can't provide clear answers (where tokens are stored, how logs are sanitized), treat the skill as unsafe. If you proceed, provide only short-lived, narrowly-scoped credentials and monitor API calls and account activity closely.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c11yy3kkzq4bsn9scxrgpss85ev38
64downloads
0stars
1versions
Updated 4d ago
v1.0.0
MIT-0
Otman Heddouch@otman-ai
latest
Download

Meta Ads API Skill (Full)

Overview

This skill enables an agent to read, create, and manage Meta (Facebook/Instagram) ad campaigns via the Marketing API.

Base Configuration

API Base URL

https://graph.facebook.com/v19.0/

Required Inputs

  • access_token
  • ad_account_id (format: act_<ID>)

Authentication

Method

Use access token in query or header:

Authorization: Bearer <ACCESS_TOKEN>

or

?access_token=<ACCESS_TOKEN>

Permissions Required

PermissionPurpose
ads_readRead campaigns, ads, insights
ads_managementCreate & update campaigns

Core Entities

  • Campaign → Top-level objective
  • Ad Set → Budget + targeting
  • Ad → Creative (image/video + copy)

READ OPERATIONS (Primary)

1. Get Campaigns

Endpoint

GET /act_<AD_ACCOUNT_ID>/campaigns

Example

GET /act_<ID>/campaigns?fields=id,name,status,objective

2. Get Ad Sets

GET /act_<ID>/adsets?fields=id,name,campaign_id,status,daily_budget

3. Get Ads

GET /act_<ID>/ads?fields=id,name,adset_id,status

4. Campaign Insights

GET /<CAMPAIGN_ID>/insights?fields=impressions,clicks,spend,ctr,cpc

5. Account Insights

GET /act_<ID>/insights?fields=impressions,clicks,spend&date_preset=last_7d

6. Time Range Filtering

time_range={'since':'2024-01-01','until':'2024-01-31'}

7. Status Filtering

effective_status=['ACTIVE']

8. Levels

level=campaign | adset | ad

Pagination

Responses include:

paging.next

Agent Rule

  • Follow paging.next until exhausted
  • Stop at safe limit (e.g., 10 pages)

WRITE OPERATIONS

9. Create Campaign

POST /act_<ID>/campaigns

Payload:

name=My Campaign
objective=CONVERSIONS
status=PAUSED
special_ad_categories=[]

10. Create Ad Set

POST /act_<ID>/adsets

Payload:

name=Ad Set 1
daily_budget=1000
billing_event=IMPRESSIONS
optimization_goal=REACH
campaign_id=<CAMPAIGN_ID>
targeting={"geo_locations":{"countries":["MA"]}}
status=PAUSED

11. Create Ad Creative

POST /act_<ID>/adcreatives

Payload:

name=Creative 1
object_story_spec={"page_id":"<PAGE_ID>","link_data":{"message":"Hello","link":"https://example.com"}}

12. Create Ad

POST /act_<ID>/ads

Payload:

name=Ad 1
adset_id=<ADSET_ID>
creative={"creative_id":"<CREATIVE_ID>"}
status=PAUSED

13. Update Campaign Status

POST /<CAMPAIGN_ID>?status=PAUSED

INSIGHTS METRICS

Common fields:

  • impressions
  • clicks
  • spend
  • ctr
  • cpc
  • conversions (if configured)

ERROR HANDLING

CodeMeaning
190Invalid/expired token
200Permission denied
100Invalid parameter

RATE LIMITS

  • Respect HTTP 429
  • Retry with exponential backoff
  • Batch requests when possible

AGENT RULES (IMPORTANT)

Safety

  • Always create campaigns as PAUSED
  • Never expose access tokens
  • Validate all IDs before use

Efficiency

  • Cache campaign lists
  • Avoid duplicate API calls
  • Use insights endpoints instead of raw data when possible

Reliability

  • Retry failed requests (max 3)
  • Log all API responses
  • Detect empty responses

ANALYTICS LOGIC (Agent Intelligence)

Detect Poor Performance

  • High spend + low CTR → flag
  • High CPC → recommend pause

Detect Winners

  • High CTR + low CPC → scale budget

Example Rule

IF spend > 50 AND ctr < 0.5%
THEN mark campaign as underperforming

SAMPLE REQUEST FLOW

  1. Fetch campaigns
  2. Fetch insights
  3. Analyze metrics
  4. Decide action
  5. Update campaign (pause/scale)

BEST PRACTICES

  • Use long-lived tokens
  • Prefer system users (Business Manager)
  • Monitor token expiration
  • Use versioned API (v19.0+)

NOTES

  • Insights are delayed (not real-time)
  • Conversion tracking requires Pixel or CAPI
  • Some features require app review

Comments

Loading comments...