Messenger
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If mishandled, these credentials could let someone act through the connected Facebook Page within the token's permissions.
The skill expects sensitive Facebook application and Page credentials, which can delegate access to Messenger/Page operations.
Required inputs - Facebook App ID and App Secret. - Page ID and Page access token.
Use least-privilege Page permissions, avoid exposing tokens in chat logs or shared files, rotate tokens when possible, and only provide credentials in a trusted workflow.
Using the templates against a live Page could send real messages or sender actions to real users.
The skill documents direct Send API calls that can send messages to Messenger users, which mutates external conversation state.
POST `/me/messages` ... "recipient": { "id": "PSID" }, "message": { "text": "Hello from the bot" }Test with a development Page or approved recipients first, confirm the recipient and message content before live sends, and keep human approval around production messaging.
Webhook payloads may contain user conversation data, so weak validation or retention practices could expose private interactions.
Webhook handling receives external Facebook events, including user messages and interaction data; the artifact appropriately calls out signature validation.
Events - `messages`, `messaging_postbacks`, `messaging_optins`, `message_reads`. Signature validation - Validate `X-Hub-Signature-256` with your app secret.
Implement the documented signature validation, process only expected event types, and define clear logging, retention, and access controls for webhook payloads.