by 安全扫描
OpenClaw
可疑
high confidence该技能的指令明确要求访问令牌和账户 ID,并涉及敏感数据操作(日志记录、缓存、长期/系统令牌),但已发布的元数据却未声明任何必需凭据或配置——这种不匹配以及令牌泄露的风险令人担忧。
评估建议
Do not install or enable this skill until the publisher corrects the metadata and clarifies storage/secret handling. Specific actions to request or verify before use:
- Metadata fixes: require.env / primaryEnv should list the access token and ad_account_id (or explain how the token is provided). A trusted publisher should declare required credentials.
- Least privilege: only grant the minimal scopes needed (prefer ads_read for read-only use). Avoid long-lived or Business Manager system-user toke...详细分析 ▾
⚠ 用途与能力
The human-readable description and SKILL.md both describe a Meta Marketing API integration (reading/creating campaigns, insights) which legitimately requires an access_token and ad_account_id. However, the registry metadata declares no required environment variables or primary credential. That discrepancy (instructions require credentials but metadata lists none) is an incoherence that should be resolved.
⚠ 指令范围
SKILL.md gives explicit runtime steps that include creating/updating campaigns, paging through results, caching campaign lists, logging all API responses, and recommending long-lived/system user tokens. 'Log all API responses' and 'cache campaign lists' imply writing or persisting potentially sensitive API responses or tokens. The instructions also say 'Never expose access tokens' but do not specify how logs/caches are sanitized, or where/how persistent storage is used. These gaps expand scope beyond a minimal API client and risk accidental credential exposure.
✓ 安装机制
This is an instruction-only skill with no install spec or code files, so nothing is written to disk by an installer. That is the lowest-risk install mechanism. However, the runtime instructions still imply persistence (caching/logging), which is not described in the metadata.
⚠ 凭证需求
SKILL.md explicitly requires 'access_token' and 'ad_account_id' and lists permissions (ads_read, ads_management). The registry claims no required environment variables or primary credential. Requesting access tokens and recommending long-lived system user tokens are proportionate to the stated functionality, but the metadata omission is problematic and the recommendation of long-lived/system tokens increases blast radius if mishandled.
⚠ 持久化与权限
The skill is not flagged always:true and is user-invocable (defaults). Still, the instructions call for caching and logging of API responses without specifying storage location, retention, or sanitization. That implies persistence and potential exposure of sensitive data despite no declared config paths. The lack of clarity about where data will be stored or how it will be protected is a concern.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/24
Meta Ads API Skill v1.0.0 – 首发版本,支持 agent 通过 Marketing API 读取、创建并管理 Meta(Facebook/Instagram)广告活动。 - 支持 campaign、ad set 及 ad 的获取与创建,含核心数据指标(展示、点击、花费、CTR、CPC)。 - 涵盖认证、权限、分页、错误处理与速率限制指南。 - 提供安全、高效、可靠的 agent 规则,以及自动化广告表现分析逻辑。 - 所有主要 API 操作均附完整请求与 payload 示例。
● 无害
安装命令
点击复制官方npx clawhub@latest install metaads
镜像加速npx clawhub@latest install metaads --registry https://cn.longxiaskill.com
技能文档
概览
本技能使智能体可通过 Marketing API 读取、创建并管理 Meta(Facebook/Instagram)广告系列。基础配置
API Base URL
``
https://graph.facebook.com/v19.0/
`
必填参数
access_token
ad_account_id(格式:act_)
认证
方式
在 query 或 header 中携带 access token:
`
Authorization: Bearer
`
或
`
?access_token=
`
所需权限
| 权限 | 用途 |
| -------------- | ----------------------------- |
| ads_read | 读取广告系列、广告、洞察数据 |
| ads_management | 创建与更新广告系列 |
核心实体
Campaign → 顶层目标
Ad Set → 预算 + 定向
Ad → 创意(图片/视频 + 文案)
# 读取操作(主要)
1. 获取广告系列
接口
`
GET /act_/campaigns
`
示例
`
GET /act_/campaigns?fields=id,name,status,objective
` 2. 获取广告组
`
GET /act_/adsets?fields=id,name,campaign_id,status,daily_budget
` 3. 获取广告
`
GET /act_/ads?fields=id,name,adset_id,status
` 4. 广告系列洞察
`
GET //insights?fields=impressions,clicks,spend,ctr,cpc
` 5. 账户洞察
`
GET /act_/insights?fields=impressions,clicks,spend&date_preset=last_7d
` 6. 时间范围过滤
`
time_range={'since':'2024-01-01','until':'2024-01-31'}
` 7. 状态过滤
`
effective_status=['ACTIVE']
` 8. 层级
`
level=campaign | adset | ad
` 分页
响应包含:
`
paging.next
`
智能体规则
跟随 paging.next 直到无数据
安全上限:例如 10 页
# 写入操作
9. 创建广告系列
`
POST /act_/campaigns
`
Payload:
`
name=My Campaign
objective=CONVERSIONS
status=PAUSED
special_ad_categories=[]
` 10. 创建广告组
`
POST /act_/adsets
`
Payload:
`
name=Ad Set 1
daily_budget=1000
billing_event=IMPRESSIONS
optimization_goal=REACH
campaign_id=
targeting={"geo_locations":{"countries":["MA"]}}
status=PAUSED
` 11. 创建广告创意
`
POST /act_/adcreatives
`
Payload:
`
name=Creative 1
object_story_spec={"page_id":"","link_data":{"message":"Hello","link":"https://example.com"}}
` 12. 创建广告
`
POST /act_/ads
`
Payload:
`
name=Ad 1
adset_id=
creative={"creative_id":""}
status=PAUSED
` 13. 更新广告系列状态
`
POST /?status=PAUSED
`
# 洞察指标
常用字段:
impressions
clicks
spend
ctr
cpc
conversions(如已配置)
# 错误处理
| 代码 | 含义 |
| ---- | --------------------- |
| 190 | token 无效/过期 |
| 200 | 权限不足 |
| 100 | 参数错误 |
# 速率限制
遵守 HTTP 429
指数退避重试
尽可能批量请求
# 智能体规则(重要)
安全
创建广告系列时一律设为
绝不暴露 access token
使用前验证所有 ID 效率
缓存广告系列列表
避免重复 API 调用
优先使用洞察接口而非原始数据 可靠
失败请求重试(最多 3 次)
记录所有 API 响应
检测空响应
# 分析逻辑(智能体智能)
识别低效
高花费 + 低 CTR → 标记
高 CPC → 建议暂停 识别优质
高 CTR + 低 CPC → 增加预算 示例规则
`
IF spend > 50 AND ctr < 0.5% THEN mark campaign as underperforming
`` # 示例请求流程
- 拉取广告系列
- 拉取洞察数据
- 分析指标
- 决策行动
- 更新广告系列(暂停/放量)
# 最佳实践 使用长效 token 优先使用系统用户(Business Manager) 监控 token 过期 使用带版本号的 API(v19.0+)
# 备注 洞察数据有延迟,非实时 转化追踪需配置 Pixel 或 CAPI * 部分功能需应用审核