← 返回 Skills 市场
ZuckerBot
作者
Crumbedsausage
· GitHub ↗
· v1.0.0
372
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install zuckerbotmcp
功能描述
Use this skill whenever the user or agent needs to interact with Facebook or Instagram ads via Meta's API. Trigger this skill when: the user wants to launch,...
安全使用建议
This skill could be legitimate, but there are important unknowns and inconsistencies you should resolve before installing or providing keys: 1) Verify the external service and developer: find and inspect zuckerbot.ai and the npm package ([email protected]). Ensure the domain, privacy policy, and developer identity are trustworthy. 2) Ask where credentials are stored and who can access them (local agent-only, platform vault, or ZuckerBot servers). Prefer short-lived OAuth tokens or scoped tokens you can revoke. 3) Request an explicit install/connection flow or a published connector rather than implicit npm references in SKILL.md. 4) Limit autonomous invocation if you want control: do not allow the agent to call the skill automatically for every Meta-ads mention until you trust the integration. 5) If you must test, use a throwaway Meta account and tightly scoped test API key you can revoke. If the provider cannot answer the storage and install questions, treat the skill as risky and avoid providing production credentials.
功能分析
Type: OpenClaw Skill
Name: zuckerbotmcp
Version: 1.0.0
The skill bundle is classified as suspicious due to its reliance on an external, potentially untrusted domain (`zuckerbot.ai`) for sensitive authentication and API key management, as described in `Skill.MD`. The instructions direct the AI agent to prompt users to visit `zuckerbot.ai` for OAuth and API key generation, and explicitly state that 'ZuckerBot stores credentials'. While the skill's stated purpose (Meta Ads API interaction) is benign, the dependency on an external service for credential handling and the potential for `zuckerbot.ai` to be a phishing vector or compromised supply chain component introduce significant security risks, even without explicit malicious instructions within the skill bundle itself.
能力评估
Purpose & Capability
The skill claims to operate against the Meta Ads API via a 'ZuckerBot MCP server' (npm: [email protected]) and via OAuth on zuckerbot.ai, which is coherent with ad-management functionality. However, the registry metadata and SKILL.md do not declare any required installs, dependencies, or environment variables for that npm package or a connector. There is no homepage or source URL to verify the external service (zuckerbot.ai) or the npm package. The presence of a specific npm package in compatibility.tools without an install mechanism is an inconsistency.
Instruction Scope
The SKILL.md restricts actions to campaign creation, management, research, and conversion syncing — these are in-scope for an ad-management skill. However, it instructs the agent to prompt users to visit zuckerbot.ai, obtain an API key, and says 'ZuckerBot stores credentials, so this is a one-time step per session' without specifying where or how credentials are stored (agent memory, platform vault, remote service). That ambiguity increases risk because it could lead to credentials being retained or transmitted to an unknown third party.
Install Mechanism
This is an instruction-only skill with no install spec or code files (lower surface risk). Still, it's inconsistent that compatibility.tools lists a specific npm package ([email protected]) but there are no install instructions or declared runtime requirements. If the skill relies on that package/server, the registry should declare how that integration is provided; absence of that information is a gap.
Credentials
The skill does not request any environment variables or platform secrets in metadata, and instead expects the user to obtain an API key via zuckerbot.ai OAuth and provide it at runtime. Requesting a service-specific API key is proportionate to the task. The concern is the unspecified storage/handling of that API key and lack of clarity about token scope/lifetime (short-lived vs long-lived).
Persistence & Privilege
The skill is not marked always:true, but the SKILL.md instructs: 'Even if the user doesn't say "ZuckerBot" — if ads on Meta are involved, use this skill.' That gives the agent broad discretionary trigger conditions. Combined with the ability to accept and 'store' API keys for future use, this creates a larger blast radius if the integration or storage is opaque. The skill does not indicate it will modify other skills or system config.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install zuckerbotmcp - 安装完成后,直接呼叫该 Skill 的名称或使用
/zuckerbotmcp触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release. Full Meta Ads API skill covering campaign creation, launch, A/B testing, performance monitoring, market research, competitor analysis, and conversion sync.
元数据
常见问题
ZuckerBot 是什么?
Use this skill whenever the user or agent needs to interact with Facebook or Instagram ads via Meta's API. Trigger this skill when: the user wants to launch,... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 372 次。
如何安装 ZuckerBot?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install zuckerbotmcp」即可一键安装,无需额外配置。
ZuckerBot 是免费的吗?
是的,ZuckerBot 完全免费(开源免费),可自由下载、安装和使用。
ZuckerBot 支持哪些平台?
ZuckerBot 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 ZuckerBot?
由 Crumbedsausage(@crumbedsausage)开发并维护,当前版本 v1.0.0。
推荐 Skills