Facebook Scraper
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This Facebook scraping skill openly promotes stealth scraping, rate-limit/IP-ban evasion, and use of Facebook accounts, but those sensitive capabilities are not clearly bounded or reviewable.
Treat this as a review-required skill. It is not just a simple exporter: it advertises stealth scraping, proxy use, rate-limit/IP-ban avoidance, and Facebook account use, while the actual implementation is not included for review. Avoid using personal or important accounts, and do not run it unless you can verify the code, credential handling, legality, and platform-policy compliance.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using this skill could put the user's Facebook accounts, IP address, or proxy provider at risk of enforcement, blocking, or account restrictions.
These instructions explicitly frame the browser automation around avoiding detection, rate limits, and IP bans, which is broader and riskier than ordinary user-directed public data export.
"Browser fingerprinting, human behavior simulation, and stealth scripts"; "Use multiple Facebook accounts"; "Use a residential proxy"; "Avoid IP Bans"
Only use scraping tools within site rules and legal limits; avoid automation that relies on stealth, multiple accounts, or ban-evasion tactics.
The agent may need access to Facebook accounts or sessions without clear limits on which account is used, how credentials are handled, or what actions the automation performs while logged in.
The skill references Facebook credential and verification-code use, plus multiple accounts, while the registry declares no primary credential or required environment variables.
"Login Issues"; "Ensure credentials are correct"; "Handle verification codes when prompted"; "Use multiple Facebook accounts"
Do not provide personal or privileged Facebook credentials unless the credential flow, storage, scope, and account-risk implications are clearly documented and acceptable.
A user cannot verify what code would actually run to scrape Facebook, handle credentials, download thumbnails, or implement stealth behavior.
The reviewed package does not include the implementation for the advertised discover/scrape commands, while SKILL.md describes runtime dependencies and stealth browser automation.
"No install spec — this is an instruction-only skill"; "No code files present"; SKILL.md lists required bins "python3" and "chromium"
Require a complete, reviewable implementation with pinned dependencies and accurate registry metadata before installing or running the skill.
Scraped names, contact details, posts, and images may remain on disk after the task and could be reused or exposed if not managed.
The skill documents persistent local storage of scraped records, queues, and downloaded images for later reuse.
"Queue files": "data/queue/..."; "Scraped data": "data/output/{page_name}.json"; "Thumbnails": "thumbnails/{page_name}/..."; "Resume interrupted scraping sessions"Review output directories, retention needs, and cleanup practices before running broad scrapes.