ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

metacli

Meta Marketing CLI for authentication lifecycle, Graph API requests, campaign/ad/adset writes, insights reporting, and Instagram publishing. Use when handlin...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 260 · 0 current installs · 0 all-time installs
byBilal Bayram@bilalbayram
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description describe a Meta Marketing CLI and the instructions and install spec all reference the same 'meta' CLI (go module github.com/bilalbayram/metacli/cmd/meta). Requiring the 'meta' binary and offering a go install for that module is coherent with the stated purpose.
!
Instruction Scope
SKILL.md directs the AI to perform OAuth setup on the AI host (listen on 127.0.0.1 and accept the redirect), run authentication flows, and handle APP_ID/APP_SECRET. It also recommends using cloudflared to expose an HTTPS redirect URI. These are functional for OAuth but expand the agent's runtime responsibilities (opening ports, receiving external callbacks). The instructions also tell humans to open auth URLs in their browsers and rely on the AI host to finish token exchange. The doc warns to redact secrets, but it still instructs passing APP_SECRET and tokens via CLI parameters (or environment), which increases risk of accidental leakage in process args or logs.
Install Mechanism
Install uses go install of a GitHub module (github.com/bilalbayram/metacli/cmd/meta@latest) which is common and traceable. This will build a binary named 'meta' on the host. Using a Go module from GitHub is moderate-risk but expected for CLI tools; there's no opaque download or archive extract. Verify the repository and its code before installing.
!
Credentials
The SKILL.md explicitly requires APP_ID, APP_SECRET, and REDIRECT_URI for the auth bootstrap, but the registry metadata lists no required env vars. The doc also references storing schemas under ~/.meta/schema-packs and suggests using cloudflared (an extra binary) — neither are declared in the skill requirements. Passing APP_SECRET on the command line or storing it on the AI host is sensitive and not justified in the metadata. This mismatch between declared requirements and actual instructions reduces transparency and increases risk of secret exposure.
Persistence & Privilege
The skill does not request always:true and does not ask to modify other skills or system-wide configs. It requires running a binary on demand and performing OAuth flows on the agent host; those are operational privileges but not an elevated persistent platform privilege.
What to consider before installing
This skill appears to be the Meta Marketing CLI it claims to be, but pay attention to a few risks before installing or using it: (1) The runtime instructions require APP_ID and APP_SECRET even though the metadata declares no required env vars — do not pass your App Secret or long-lived tokens without understanding where they will be stored and who/what can read them. Prefer short-lived tokens or manual exchange if possible. (2) The doc recommends exposing the AI host to receive OAuth callbacks (cloudflared) and binding a listener — verify you're comfortable running an endpoint that accepts web redirects. (3) The install builds a binary from github.com/bilalbayram/metacli; review the repo and lock to a specific commit or release rather than @latest. (4) Consider running the CLI in a sandboxed environment or ephemeral container, and confirm where tokens and schema files (e.g., ~/.meta/) are written. (5) Ask the skill author or maintainer to: declare APP_ID/APP_SECRET/REDIRECT_URI in requires.env or explicitly state how secrets are provided and stored, and list cloudflared (or alternate tunneling tools) in required binaries. If you cannot verify these details, treat the skill with caution and avoid supplying high-privilege app secrets.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk975e23136dtc5fvkqnzdcnsf981xrsb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📣 Clawdis
Binsmeta

Install

Install meta (go)
Bins: meta
go install github.com/bilalbayram/metacli/cmd/meta@latest

SKILL.md

meta

Use meta for Meta Marketing API and Instagram workflows. Fail closed: if required inputs are missing or any command fails, stop immediately and surface the error.

Install

  • go install github.com/bilalbayram/metacli/cmd/meta@latest
  • meta --help

Human-required auth bootstrap (must happen first)

  • Human creates a Meta app and provides APP_ID and APP_SECRET.
  • Human configures OAuth redirect allowlist in Meta Developer settings with the exact REDIRECT_URI.
  • Redirect must resolve to the AI host callback endpoint. For a local AI host:
    • cloudflared tunnel --url http://127.0.0.1:53682 (or similar, it must be HTTPS)
    • Set REDIRECT_URI=https://<tunnel-domain>/oauth/callback
  • AI runs setup without auto-opening a local browser:
    • meta auth setup --profile <PROFILE> --app-id <APP_ID> --app-secret <APP_SECRET> --redirect-uri <REDIRECT_URI> --mode both --scope-pack solo_smb --listen 127.0.0.1:53682 --timeout 180s --open-browser=false
  • Human opens returned auth_url on their own machine, logs in, and grants consent.
  • OAuth redirect lands on the AI host and token exchange completes there.
  • Validate immediately:
    • meta auth validate --profile <PROFILE> --min-ttl 72h

Common commands

  • Schema sync (recommended before writes): meta schema sync --schema-dir ~/.meta/schema-packs
  • Accounts list: meta --profile <PROFILE> insights accounts list --active-only --output table
  • Graph read: meta --profile <PROFILE> api get act_<AD_ACCOUNT_ID>/campaigns --fields id,name,status --limit 100 --follow-next
  • Campaign dry-run: meta --profile <PROFILE> campaign create --account-id <AD_ACCOUNT_ID> --params "name=<NAME>,objective=OUTCOME_SALES,status=PAUSED" --schema-dir ~/.meta/schema-packs --dry-run
  • Campaign create: meta --profile <PROFILE> campaign create --account-id <AD_ACCOUNT_ID> --params "name=<NAME>,objective=OUTCOME_SALES,status=PAUSED" --schema-dir ~/.meta/schema-packs
  • Campaign budget update: meta --profile <PROFILE> campaign update --campaign-id <CAMPAIGN_ID> --params "daily_budget=<AMOUNT_IN_MINOR_UNITS>" --confirm-budget-change
  • Insights run: meta --profile <PROFILE> insights run --account-id <AD_ACCOUNT_ID> --date-preset last_7d --level campaign --metric-pack quality --format jsonl
  • IG publish feed: meta --profile <PROFILE> ig publish feed --media-url <HTTPS_MEDIA_URL> --caption "<CAPTION>" --idempotency-key <UNIQUE_KEY>

Rules

  • Never invent IDs, profile names, paths, redirect URIs, or payload fields.
  • Require explicit confirmation before budget-changing mutations.
  • Prefer machine-readable output (--output json or --format jsonl) for automation.
  • Redact secrets (APP_SECRET, access tokens) when echoing commands/results.

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…