fb_page_manager
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill does what it claims—posts to a Facebook Page—but it uses powerful Meta credentials and can publish public content, so users should confirm posts carefully.
Install this only if you want OpenClaw to help publish to the configured Facebook Page. Before approving any post, verify the preview, Page identity, schedule, image, and comment link. Keep the Meta token and App Secret private and revoke them if you no longer use the skill.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If confirmed, the agent can create or schedule public Facebook Page posts, upload images, and add a first comment link.
The skill controls a tool that publishes public Facebook Page content, but it includes an explicit confirmation requirement before running the posting script.
**Never publish without user confirmation.**
Review the preview carefully and confirm only when the target Page, text, image, link, and schedule are correct.
Anyone or any agent process with access to these environment variables could potentially post as the configured Facebook Page.
The skill requires a long-lived Meta Page token with posting permissions, which is expected for this purpose but grants meaningful authority over the Facebook Page.
`LONG_META_page_TOKEN` | Long-lived Page Access Token with `pages_manage_posts` and `pages_read_engagement` permissions
Use the least-privileged Page token possible, store it securely, limit access to the OpenClaw configuration, and revoke or rotate the token if the environment is shared or compromised.