ClawHub

Meta Ad Creatives

v1.0.0

Track Meta (Facebook/Instagram) ad creative performance and hit rates across multiple accounts. Use when asked about creative win rates, which ads are hitting benchmarks, CPT/CPI/ROAS analysis, or comparing creative performance across accounts and time periods. Supports multiple benchmark metrics (CPT, CPI, IPM, ROAS) and currency conversion.

5· 1.9k·0 current·0 all-time
by@fortytwode
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The code and SKILL.md clearly require Facebook API credentials (FACEBOOK_ACCESS_TOKEN, FACEBOOK_APP_ID, FACEBOOK_APP_SECRET) to function, which is appropriate for the stated purpose. However, the registry metadata declares no required environment variables or primary credential — an inconsistency that could mislead users into installing without providing needed secrets or without realizing the skill will use them. The capability requested (access to Meta Ads via access token) matches the skill purpose, but the metadata omission is problematic.
Instruction Scope
The SKILL.md instructs the agent to load Facebook credentials (via env vars/.env), create an accounts_config.json, and optionally use Firestore (default) or SQLite (local fallback). The instructions and included code operate only on the described data sources (Meta Graph API, local config, local DB/Firestore). There is no obvious instruction to read unrelated user files. Two notes of caution: 1) load_dotenv() will load a .env file if present (so any secrets in a local .env could be picked up), and 2) the SKILL.md's default of Firestore for historical storage implies cloud credentials or application-default credentials may be used — that is not documented in the registry metadata or environment requirements.
!
Install Mechanism
This is an instruction-only skill with an included Python script and no install spec. The code uses third-party packages (requests, python-dotenv) but the skill provides no dependency or install instructions. That omission can cause runtime failures or surprise if the environment automatically installs packages. Lack of an explicit, trusted install mechanism (requirements.txt or package declaration) increases risk because required packages and their versions are not documented.
!
Credentials
The SKILL.md (and code) legitimately require Facebook API credentials and optionally a Firestore/GCP credential if Firestore is used. The registry, however, declares no required env vars or primary credential. This mismatch is disproportionate: users will be prompted to provide sensitive tokens by the README/code but the registry metadata does not surface that need. Additionally, Firestore as the default persistent store could attempt to use GCP credentials that are not declared or explained.
Persistence & Privilege
The skill does not request global 'always' presence, does not modify other skills' configs, and uses only its own data paths (data/hit_rates.db and accounts_config.json). Storing historical data in Firestore or SQLite is consistent with its purpose. No elevated platform privileges are requested in the metadata.
What to consider before installing
This skill appears to do what it says (query Meta Graph API, compute hit rates, store history), but there are several mismatches you should check before installing or running it: - The SKILL.md and the Python code expect FACEBOOK_ACCESS_TOKEN, FACEBOOK_APP_ID, and FACEBOOK_APP_SECRET (and will load a .env if present), but the registry metadata does not list any required environment variables. Treat this as a warning: the skill needs sensitive API credentials to operate. - The skill defaults to Firestore for storage unless you set USE_FIRESTORE=false. If left as default, it may attempt to use Google application-default credentials or other GCP service account keys — ensure you understand and control which cloud credentials will be available to the process. - There is no install/dependency specification. The script imports requests and python-dotenv; make sure you run it in a controlled environment with explicit dependency management (virtualenv, pinned requirements) to avoid supply-chain surprises. - The code will make network calls to graph.facebook.com using whatever access token you provide. Only supply tokens that are scoped appropriately and belong to accounts you expect the skill to read. Review the accounts_config.json to ensure it only lists accounts you want queried. - If you are concerned about cloud access, set USE_FIRESTORE=false to force local SQLite storage and run the tool in an isolated environment. Given these inconsistencies, do not provide production credentials or open cloud credentials to this skill until you (or a trusted reviewer) confirm the Firestore usage and add explicit install and credential declarations. If you want, provide the rest of the Python file (it was truncated in the review) and I can re-check for any additional network endpoints or unexpected behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk976q9td8r7t2bagg2ej16fz4h80e2m7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments