← Back to Skills Marketplace
ZuckerBot
by
Crumbedsausage
· GitHub ↗
· v1.0.0
372
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install zuckerbotmcp
Description
Use this skill whenever the user or agent needs to interact with Facebook or Instagram ads via Meta's API. Trigger this skill when: the user wants to launch,...
Usage Guidance
This skill could be legitimate, but there are important unknowns and inconsistencies you should resolve before installing or providing keys: 1) Verify the external service and developer: find and inspect zuckerbot.ai and the npm package ([email protected]). Ensure the domain, privacy policy, and developer identity are trustworthy. 2) Ask where credentials are stored and who can access them (local agent-only, platform vault, or ZuckerBot servers). Prefer short-lived OAuth tokens or scoped tokens you can revoke. 3) Request an explicit install/connection flow or a published connector rather than implicit npm references in SKILL.md. 4) Limit autonomous invocation if you want control: do not allow the agent to call the skill automatically for every Meta-ads mention until you trust the integration. 5) If you must test, use a throwaway Meta account and tightly scoped test API key you can revoke. If the provider cannot answer the storage and install questions, treat the skill as risky and avoid providing production credentials.
Capability Analysis
Type: OpenClaw Skill
Name: zuckerbotmcp
Version: 1.0.0
The skill bundle is classified as suspicious due to its reliance on an external, potentially untrusted domain (`zuckerbot.ai`) for sensitive authentication and API key management, as described in `Skill.MD`. The instructions direct the AI agent to prompt users to visit `zuckerbot.ai` for OAuth and API key generation, and explicitly state that 'ZuckerBot stores credentials'. While the skill's stated purpose (Meta Ads API interaction) is benign, the dependency on an external service for credential handling and the potential for `zuckerbot.ai` to be a phishing vector or compromised supply chain component introduce significant security risks, even without explicit malicious instructions within the skill bundle itself.
Capability Assessment
Purpose & Capability
The skill claims to operate against the Meta Ads API via a 'ZuckerBot MCP server' (npm: [email protected]) and via OAuth on zuckerbot.ai, which is coherent with ad-management functionality. However, the registry metadata and SKILL.md do not declare any required installs, dependencies, or environment variables for that npm package or a connector. There is no homepage or source URL to verify the external service (zuckerbot.ai) or the npm package. The presence of a specific npm package in compatibility.tools without an install mechanism is an inconsistency.
Instruction Scope
The SKILL.md restricts actions to campaign creation, management, research, and conversion syncing — these are in-scope for an ad-management skill. However, it instructs the agent to prompt users to visit zuckerbot.ai, obtain an API key, and says 'ZuckerBot stores credentials, so this is a one-time step per session' without specifying where or how credentials are stored (agent memory, platform vault, remote service). That ambiguity increases risk because it could lead to credentials being retained or transmitted to an unknown third party.
Install Mechanism
This is an instruction-only skill with no install spec or code files (lower surface risk). Still, it's inconsistent that compatibility.tools lists a specific npm package ([email protected]) but there are no install instructions or declared runtime requirements. If the skill relies on that package/server, the registry should declare how that integration is provided; absence of that information is a gap.
Credentials
The skill does not request any environment variables or platform secrets in metadata, and instead expects the user to obtain an API key via zuckerbot.ai OAuth and provide it at runtime. Requesting a service-specific API key is proportionate to the task. The concern is the unspecified storage/handling of that API key and lack of clarity about token scope/lifetime (short-lived vs long-lived).
Persistence & Privilege
The skill is not marked always:true, but the SKILL.md instructs: 'Even if the user doesn't say "ZuckerBot" — if ads on Meta are involved, use this skill.' That gives the agent broad discretionary trigger conditions. Combined with the ability to accept and 'store' API keys for future use, this creates a larger blast radius if the integration or storage is opaque. The skill does not indicate it will modify other skills or system config.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install zuckerbotmcp - After installation, invoke the skill by name or use
/zuckerbotmcp - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release. Full Meta Ads API skill covering campaign creation, launch, A/B testing, performance monitoring, market research, competitor analysis, and conversion sync.
Metadata
Frequently Asked Questions
What is ZuckerBot?
Use this skill whenever the user or agent needs to interact with Facebook or Instagram ads via Meta's API. Trigger this skill when: the user wants to launch,... It is an AI Agent Skill for Claude Code / OpenClaw, with 372 downloads so far.
How do I install ZuckerBot?
Run "/install zuckerbotmcp" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is ZuckerBot free?
Yes, ZuckerBot is completely free (open-source). You can download, install and use it at no cost.
Which platforms does ZuckerBot support?
ZuckerBot is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created ZuckerBot?
It is built and maintained by Crumbedsausage (@crumbedsausage); the current version is v1.0.0.
More Skills