Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Facebook Video Downloader
v1.2.0Download Facebook videos, Reels, and Stories in HD quality. Use when user provides a Facebook video URL and wants to download it, or asks to save/download FB...
⭐ 0· 167·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's requested capabilities align with its stated purpose: it posts a provided Facebook URL to savefbs.com and returns download links. It does not request unrelated credentials or binaries. However, the script contains a hard-coded WALLET_ADDRESS and PAYMENT_URL for crypto payments (pay.request.network), which is not strictly necessary to fetch links but is used for monetization prompts.
Instruction Scope
SKILL.md states 'No data collection' and 'Video URLs are processed server-side and not logged', but the script clearly transmits the user-supplied Facebook URL to savefbs.com and can receive/return metadata from that third-party. The script also writes a local usage file (~/.openclaw/skills/fb-video-downloader/usage.json) to track daily counts and a 'paid' flag. Those behaviors contradict the absolute privacy claims in the README.
Install Mechanism
This is an instruction-only skill with no install spec. No additional packages are installed automatically. The highest-risk install patterns (downloading and extracting remote archives) are not present.
Credentials
The skill requests no environment variables or external credentials, which is proportionate. It does, however, perform network access to savefbs.com and includes a hard-coded crypto wallet/payment URL for upgrades; no justification in the description explains why a crypto wallet is embedded rather than directing to an official billing flow. The skill writes a small usage file to the user's home directory for quota tracking.
Persistence & Privilege
always is false and the skill does not request system-wide privileges. It creates and writes a usage.json under the skill's own folder in the user's home (~/.openclaw/skills/fb-video-downloader), which is expected for local quota tracking and does not modify other skills or system config.
What to consider before installing
This skill will send any Facebook URL you provide to the third-party API at savefbs.com and will store a small usage file in ~/.openclaw/skills/fb-video-downloader/usage.json. The SKILL.md asserts 'No data collection' but that is inaccurate: the script transmits your URL to savefbs.com and tracks local usage. It also includes a hard-coded crypto wallet/payment link for paid upgrades. Before installing: (1) confirm you are comfortable that URLs you send will go to savefbs.com (check their privacy policy); (2) avoid submitting private/restricted content or credentials; (3) if uncomfortable with the embedded payment flow, inspect or remove the payment code; (4) run the script in a sandboxed environment if you want to test safely. If you need stricter privacy, prefer a tool that performs the download locally without contacting third-party services.Like a lobster shell, security has layers — review code before you run it.
latestvk97dhzfz4fafesvq1ns58a0yz583472b
License
MIT-0
Free to use, modify, and redistribute. No attribution required.