Messenger
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent instruction-only Messenger API guide, but it involves sensitive Facebook Page credentials and live message-sending capabilities.
This skill appears safe as an instruction-only Messenger API guide. Install it only if you intend to work with Facebook Messenger/Page workflows, and be careful with App Secrets, Page access tokens, live message sends, webhook payloads, and production recipient data.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If mishandled, these credentials could let someone act through the connected Facebook Page within the token's permissions.
The skill expects sensitive Facebook application and Page credentials, which can delegate access to Messenger/Page operations.
Required inputs - Facebook App ID and App Secret. - Page ID and Page access token.
Use least-privilege Page permissions, avoid exposing tokens in chat logs or shared files, rotate tokens when possible, and only provide credentials in a trusted workflow.
Using the templates against a live Page could send real messages or sender actions to real users.
The skill documents direct Send API calls that can send messages to Messenger users, which mutates external conversation state.
POST `/me/messages` ... "recipient": { "id": "PSID" }, "message": { "text": "Hello from the bot" }Test with a development Page or approved recipients first, confirm the recipient and message content before live sends, and keep human approval around production messaging.
Webhook payloads may contain user conversation data, so weak validation or retention practices could expose private interactions.
Webhook handling receives external Facebook events, including user messages and interaction data; the artifact appropriately calls out signature validation.
Events - `messages`, `messaging_postbacks`, `messaging_optins`, `message_reads`. Signature validation - Validate `X-Hub-Signature-256` with your app secret.
Implement the documented signature validation, process only expected event types, and define clear logging, retention, and access controls for webhook payloads.