Is kein-s/meta-ads-report safe?

https://github.com/openclaw/skills/tree/main/skills/kein-s/meta-ads-report

90
SAFE

This skill is a straightforward Meta Ads analytics wrapper that reads declared API credentials from .env and calls Meta's Graph API to retrieve spend, conversion, and CAC data. No prompt injection, hidden code execution vectors, unexpected network connections, or canary file modifications were detected during the audit. The only notable concerns are a broad urllib3<2 version pin (a common facebook-business SDK workaround that spans known-vulnerable releases) and the inherent risk that comes with any skill storing and using a third-party API token.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 88/100 · 5%

Findings (6)

LOW urllib3<2 pins an older, potentially vulnerable library version -10

requirements.txt pins urllib3 to a version below 2.0. While this is a documented compatibility workaround for the facebook-business SDK, urllib3 releases prior to 1.26.x carry known CVEs (e.g., header injection). The constraint should be reviewed against the current facebook-business SDK changelog to determine whether a tighter minimum version is appropriate.

LOW load_dotenv() reads the entire .env file at import time -5

Both Python files call load_dotenv() unconditionally at module load. If the .env file contains credentials beyond the three declared META_* variables, those values are loaded into the process environment. The skill does not read or transmit any other environment variables, but the loaded values are accessible to any code running in the same Python process.

INFO No install-time code execution vectors detected 0

The skill contains no package.json with pre/post-install hooks, no git hooks, no .gitattributes filter drivers, no submodules, and no shell scripts. Python files are not executed at install time.

INFO Installation network traffic confined to expected endpoints 0

All TCP connections during installation targeted GitHub (140.82.121.3) and pre-existing Ubuntu CDN sockets. No connections to third-party or attacker-controlled infrastructure were initiated by the skill installation process.

INFO Canary files accessed but not modified 0

Honeypot credential files were opened and read during the audit window, but all modifications hashes match the originals. The access timing (before skill installation completed) and the audit system's own canary verification workflow account for these reads.

INFO SKILL.md contains no adversarial instructions 0

Full inspection of SKILL.md found only legitimate user-facing documentation: capability description, .env configuration table, credential acquisition steps, example natural-language commands, and troubleshooting guidance. No instruction overrides, hidden markup, or expanded-permission requests are present.