meta-ads-cli
Pass
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes external commands via a Python wrapper script (
scripts/meta_ads_agent.py) that interacts with the Meta Ads CLI. The script usessubprocess.runwith arguments passed as a list andshlex.split, which follows security best practices to prevent shell injection attacks. - [DATA_EXFILTRATION]: The wrapper script (
scripts/meta_ads_agent.py) contains specific logic (redact_token,redact_command, andscrub_env) designed to detect and redact sensitive information like access tokens, app secrets, and cookies from execution logs and command outputs. This serves as a significant security control to prevent credential exposure. - [PROMPT_INJECTION]: The skill is subject to indirect prompt injection risks common to agents that process external tool outputs.
- Ingestion points: Untrusted data from the Meta Ads CLI is ingested and parsed by the Python wrapper in
scripts/meta_ads_agent.py. - Boundary markers: The instructions advocate for structured JSON output (
--output json) to minimize parsing errors, though they do not employ explicit security delimiters for raw CLI data. - Capability inventory: The skill possesses the capability to modify campaign states (create, update, delete) via the
meta adstool. - Sanitization: The skill mitigates risks by requiring explicit human approval strings (
--approved) for any state-changing command and through a multi-tier risk classification system. - [PROMPT_INJECTION]: A metadata discrepancy is present where the author is listed as 'OpenAI' in the
SKILL.mdfrontmatter, which contradicts the provided developer context ('tristanmanchester'). This is likely a template artifact but constitutes metadata poisoning.
Audit Metadata