← 返回 Skills 市场
metacli
作者
Bilal Bayram
· GitHub ↗
· v1.0.0
449
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install metacli
功能描述
Meta Marketing CLI for authentication lifecycle, Graph API requests, campaign/ad/adset writes, insights reporting, and Instagram publishing. Use when handlin...
安全使用建议
This skill appears to be the Meta Marketing CLI it claims to be, but pay attention to a few risks before installing or using it: (1) The runtime instructions require APP_ID and APP_SECRET even though the metadata declares no required env vars — do not pass your App Secret or long-lived tokens without understanding where they will be stored and who/what can read them. Prefer short-lived tokens or manual exchange if possible. (2) The doc recommends exposing the AI host to receive OAuth callbacks (cloudflared) and binding a listener — verify you're comfortable running an endpoint that accepts web redirects. (3) The install builds a binary from github.com/bilalbayram/metacli; review the repo and lock to a specific commit or release rather than @latest. (4) Consider running the CLI in a sandboxed environment or ephemeral container, and confirm where tokens and schema files (e.g., ~/.meta/) are written. (5) Ask the skill author or maintainer to: declare APP_ID/APP_SECRET/REDIRECT_URI in requires.env or explicitly state how secrets are provided and stored, and list cloudflared (or alternate tunneling tools) in required binaries. If you cannot verify these details, treat the skill with caution and avoid supplying high-privilege app secrets.
功能分析
Type: OpenClaw Skill
Name: metacli
Version: 1.0.0
The skill is classified as suspicious due to the installation method specified in `SKILL.md`. It instructs the AI agent to install the `meta` CLI tool using `go install github.com/bilalbayram/metacli/cmd/meta@latest`. This introduces a supply chain vulnerability, as the AI agent fetches and executes code from a remote GitHub repository. If the upstream repository were compromised, this could lead to remote code execution (RCE) on the agent's host. Additionally, the `meta` CLI itself provides broad, high-impact capabilities such as managing advertising budgets and publishing content, which, while intended, represent significant inherent risk.
能力评估
Purpose & Capability
The name/description describe a Meta Marketing CLI and the instructions and install spec all reference the same 'meta' CLI (go module github.com/bilalbayram/metacli/cmd/meta). Requiring the 'meta' binary and offering a go install for that module is coherent with the stated purpose.
Instruction Scope
SKILL.md directs the AI to perform OAuth setup on the AI host (listen on 127.0.0.1 and accept the redirect), run authentication flows, and handle APP_ID/APP_SECRET. It also recommends using cloudflared to expose an HTTPS redirect URI. These are functional for OAuth but expand the agent's runtime responsibilities (opening ports, receiving external callbacks). The instructions also tell humans to open auth URLs in their browsers and rely on the AI host to finish token exchange. The doc warns to redact secrets, but it still instructs passing APP_SECRET and tokens via CLI parameters (or environment), which increases risk of accidental leakage in process args or logs.
Install Mechanism
Install uses go install of a GitHub module (github.com/bilalbayram/metacli/cmd/meta@latest) which is common and traceable. This will build a binary named 'meta' on the host. Using a Go module from GitHub is moderate-risk but expected for CLI tools; there's no opaque download or archive extract. Verify the repository and its code before installing.
Credentials
The SKILL.md explicitly requires APP_ID, APP_SECRET, and REDIRECT_URI for the auth bootstrap, but the registry metadata lists no required env vars. The doc also references storing schemas under ~/.meta/schema-packs and suggests using cloudflared (an extra binary) — neither are declared in the skill requirements. Passing APP_SECRET on the command line or storing it on the AI host is sensitive and not justified in the metadata. This mismatch between declared requirements and actual instructions reduces transparency and increases risk of secret exposure.
Persistence & Privilege
The skill does not request always:true and does not ask to modify other skills or system-wide configs. It requires running a binary on demand and performing OAuth flows on the agent host; those are operational privileges but not an elevated persistent platform privilege.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install metacli - 安装完成后,直接呼叫该 Skill 的名称或使用
/metacli触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of metacli – the Meta Marketing CLI.
- Provides CLI access for Meta ads, Graph API, insights, and Instagram publishing.
- Implements strict fail-closed behavior: stops on missing inputs or command failures.
- Supports secure, human-involved OAuth authentication flow.
- Includes commands for schema sync, account/campaign management, and reporting.
- Enforces rules for safety (no ID invention, confirmation on budget edits, and redaction of secrets).
- Recommended for integrating Meta ads workflows with automation from the terminal.
元数据
常见问题
metacli 是什么?
Meta Marketing CLI for authentication lifecycle, Graph API requests, campaign/ad/adset writes, insights reporting, and Instagram publishing. Use when handlin... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 449 次。
如何安装 metacli?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install metacli」即可一键安装,无需额外配置。
metacli 是免费的吗?
是的,metacli 完全免费(开源免费),可自由下载、安装和使用。
metacli 支持哪些平台?
metacli 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 metacli?
由 Bilal Bayram(@bilalbayram)开发并维护,当前版本 v1.0.0。
推荐 Skills