ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Facebook Humanistic Profile Control

v1.0.6

CREDENTIALS REQUIRED: FB_COOKIE_FILE (Facebook session cookies JSON — treat as password), FB_STATE_FILE (Playwright state path, writable). Optional: FB_DRY_R...

0· 77·0 current·0 all-time
byJoel Yi - DeployAIBots.com@joelsalespossible
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (FB group scanner + auto-comments) match the requested items: python3, FB_COOKIE_FILE (cookie export), FB_STATE_FILE, Patchright/Playwright for a stealth Chromium. The cookie-based auth and Playwright automation are expected for this purpose.
Instruction Scope
SKILL.md and code instruct the agent to read the cookie file, convert/write a Playwright state file, intercept GraphQL responses, apply filter logic, and optionally post comments and call a webhook. These are within the declared purpose, but the skill can log raw GraphQL responses and (if configured) send notifications to an external webhook — review and control the webhook destination and logs.
Install Mechanism
Install uses pip (patchright from PyPI) and patchright's chromium install (Playwright distribution). This is a typical, traceable mechanism for Python/Playwright tooling; no arbitrary URL downloads or archive extraction from unknown hosts are present.
Credentials
Required env vars are limited and appropriate: FB_COOKIE_FILE (secret, required) and FB_STATE_FILE (writable path). Optional webhook and user-agent overrides are reasonable. No unrelated credentials or excessive secrets are requested.
Persistence & Privilege
Skill is not always-enabled and does not request system-wide persistent privileges. It writes a Playwright state file and can operate autonomously (default platform behavior). Because the cookie file grants full account access, prefer manual invocation or keep FB_DRY_RUN=true until you intentionally enable live commenting.
Assessment
This skill is coherent but high-risk by design because it requires Facebook session cookies (FB_COOKIE_FILE), which grant full account control. Only use with a dedicated/throwaway account, store the cookie file with restrictive permissions (chmod 600), and run inside an isolated VM or container. Keep FB_DRY_RUN=true until you have tested filtering thoroughly; do not set FB_DRY_RUN=false unless you explicitly want live posting. Review and control NOTIFY_WEBHOOK — any URL you provide will receive matched data. Audit the patchright package source before installing and avoid using your personal Facebook account to prevent account compromise or TOS violations. If you want to reduce risk, require manual invocation (do not allow autonomous agent use) and inspect logs and outgoing webhook activity before enabling live actions.

Like a lobster shell, security has layers — review code before you run it.

latestvk975a5zk5ffb4jdn6tg8k0ngys83j45m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3
EnvFB_COOKIE_FILE, FB_STATE_FILE

Comments