ClawHub

Meta Ads

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is a straightforward instruction-only Meta Ads API reference, but it requires powerful ad-account credentials and includes write/delete operations that can affect campaigns and spending.

Use this only if you intend to let the agent work with a Meta Ads account. Provide a dedicated limited token, verify the ad account ID, require explicit approval before activation, deletion, or budget changes, and set spend limits in Meta Business Manager.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
Medium
What this means

If these commands are run against the wrong account or object, campaigns, ad sets, or ads could be changed or deleted.

Why it was flagged

The skill documents high-impact Meta Ads API operations, including write and delete actions. This is purpose-aligned for an ads-management skill, but mistakes could affect live business assets.

Skill content
`ads_management` - Create, edit, and delete ads ... `curl -X DELETE "https://graph.facebook.com/v25.0/{CAMPAIGN_ID}"`
Recommendation

Use explicit user confirmation for create/update/delete/activate actions, verify IDs before execution, and prefer paused drafts for new ads until reviewed.

#
ASI03: Identity and Privilege Abuse
Low
What this means

A leaked or over-scoped token could allow changes to Meta advertising assets and potentially affect ad spend.

Why it was flagged

The skill requires a Meta token with ads-management authority and mentions persistent system user tokens. That access is expected for the stated purpose, but it is powerful and not reflected in the registry's credential declarations.

Skill content
`META_ACCESS_TOKEN` - Meta access token ... `ads_management` - Create, edit, and delete ads ... `System User Token` - No expiration
Recommendation

Use a dedicated least-privilege token, restrict it to the intended ad account, store it securely, monitor activity, and revoke it when no longer needed.

#
ASI08: Cascading Failures
Medium
What this means

A mistaken budget or activation change could cause unintended advertising spend or public ad delivery.

Why it was flagged

The documented examples include budget and activation changes. These are normal Meta Ads operations, but an incorrect value or status change could propagate into real ad delivery and spend.

Skill content
`"daily_budget": 10000, "status": "ACTIVE"` ... `Budget values are in cents`
Recommendation

Set account-level spend limits, review budget units carefully, keep new/changed campaigns paused until approved, and audit changes after execution.