OpenClaw skill for Facebook Graph API workflows focused on Pages posting, comments, and Page management using direct HTTPS requests.
⭐ 6· 4.1k·20 current·22 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, description, and all reference files consistently describe Facebook Graph API Page workflows (posting, comments, webhooks). There are no unrelated services, binaries, or capabilities requested that don't belong to a Facebook Pages skill.
Instruction Scope
SKILL.md and the references stay within the stated scope (HTTP templates, token exchange flow, webhook verification, comment moderation). They do request sensitive inputs (App ID, App Secret, Page IDs, and Page access tokens) but do not instruct the agent to access unrelated system files or external endpoints other than graph.facebook.com.
Install Mechanism
This is instruction-only with no install spec or code to download — lowest install risk. No archives, third-party packages, or remote installers are involved.
Credentials
The SKILL.md explicitly requires App ID, App Secret, Page ID(s), and Page access tokens, but registry metadata lists no required environment variables and no primary credential. That mismatch is a red flag: sensitive secrets are needed for operation but are not declared in metadata or assigned a primaryEnv. Without declared secret handling, an agent or user may end up pasting secrets into chat or storing them insecurely. The actual set of requested secrets is proportionate to the purpose, but the omission from metadata is problematic.
Persistence & Privilege
always:false and no install actions. The skill does not request permanent platform presence or modify other skills. Autonomous invocation remains enabled (platform default) but is not excessive here given the skill's purpose.
What to consider before installing
This skill appears to be what it says (Facebook Pages via Graph API) but there is a critical metadata mismatch: SKILL.md requires App ID, App Secret, Page IDs, and Page access tokens, yet the registry lists no required environment variables or primary credential. Before installing or using it: 1) Ask the publisher why secrets are not declared in metadata and request they add a primary credential (e.g., PAGE_ACCESS_TOKEN) and required env vars so the platform can handle secrets safely. 2) Do NOT paste App Secret or access tokens directly into chat; prefer a secret manager or environment variables handled by the agent platform. 3) Limit token scopes to least privilege, use a test Page for verification, and rotate tokens after testing. 4) Confirm the skill's source/author (homepage is missing) — if the publisher is unknown, review carefully or decline until metadata/source are clarified. 5) Require explicit instructions from the author about where/how secrets will be stored and whether the skill will ever transmit them off-platform.Like a lobster shell, security has layers — review code before you run it.
latestvk970dkxsddx63zzcvj3g9jsbbh80ddhv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.