Governed ability

Get user meta

aafm/get-user-meta Read only

Read a single allowlisted scalar meta value from a user the agent can edit. Auth, capability, and 2FA keys are never readable.

How it is governed

The same model as every ability in the plugin, stated for this one.

  • Off until you enable it

    Like every ability, Get user meta ships switched off. You turn it on one at a time, and an update never widens access on its own.

  • Reads only

    It reads data and returns it to your client. Nothing on your site is created, changed, or removed.

  • Capability gated

    A connection only sees Get user meta if the user you connected can run it, and the plugin checks that capability again before it executes.

  • Every call audited

    The call is written to the log in your own database, denials included, with the argument keys but never the values.

See it in action

An illustrative run. Your real calls and data stay on your own site.

agent-abilities · audit Governed
You Get user meta on this site.
Run Running aafm/get-user-meta
Gate Allowed read capability confirmed
Audit aafm/get-user-meta · principal: editor · args: user_id
Result Returns the data the agent asked for. Nothing on the site changes.

Try it with a prompt

Example requests you could paste to your agent.

  1. Read the phone_extension meta field for user 88.
  2. What value is stored in the department key for editor Priya (user 214)?
  3. Fetch the office_location custom field from user 12 so I can confirm it.

These are illustrative example prompts. The agent runs them as the user you connected, checked against that user's capabilities and written to your audit log.

Frequently asked

Short answers for Get user meta.

Which meta keys can this read?

Only a single allowlisted scalar meta value from a user the agent can already edit. Authentication, capability, and two-factor keys are never readable, so it cannot be used to pull login secrets or role data.

Can the agent read meta for any user on the site?

No. It is limited to users the connected account can edit, and the whole ability is off by default until an administrator turns it on. Every call is recorded in the plugin audit log.

Back to all abilities

Governed by default, from the first call.

Get user meta is off until you enable it, scoped to the user you connect, and logged like everything else. Turn on only what you need.

Every ability off until you enable it, capability-gated on every call.