PassAudited by ClawScan on May 10, 2026.
Overview
This is a documentation-only Facebook API skill that is coherent for Page posting and moderation, but users should treat it as high-privilege because it involves Page tokens and actions that can publish, edit, hide, or delete public content.
This skill appears safe as documentation, not an installer or executable tool. Before using it, make sure you understand that Facebook Page tokens can publish, edit, hide, and delete public Page content. Use least-privilege permissions, protect app secrets and access tokens, and require human confirmation before any posting or deletion workflow.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with valid Page credentials, these requests could publish or remove posts on a Facebook Page.
The skill documents direct API operations that can publish, modify, or delete Facebook Page content. This is purpose-aligned, but it affects public/business-facing content.
Create a Page post: POST /{page-id}/feed ... Update post: POST /{post-id} ... Delete post: DELETE /{post-id}Use explicit user approval for publish, update, and delete actions, and verify the target Page and post IDs before sending requests.
A token with these scopes can manage posts and comments for Pages the user controls.
The workflow uses delegated Facebook permissions and Page access tokens. These privileges are expected for Page posting and moderation, but they grant meaningful account authority.
pages_manage_posts ... pages_manage_engagement ... Obtain user token with required scopes ... get the Page access token.
Grant only the minimum required permissions, use Page-specific tokens where possible, store tokens securely, and rotate or revoke them when no longer needed.
A poorly implemented webhook could accept spoofed events or expose Page event data.
The skill includes webhook setup for Facebook Page events. It correctly mentions verification and signature validation, but webhook endpoints still require careful implementation.
Configure a callback URL and verify token ... Validate X-Hub-Signature-256 with your app secret.
Use HTTPS, validate signatures with the app secret, keep verify tokens private, and make webhook handlers idempotent as the skill recommends.