ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill to manage a facebook page

v1.0.0

Manage Facebook Pages via Meta Graph API. Post content (text, photos, links), list posts, manage comments (list/reply/hide/delete). Use when user wants to publish to Facebook Page, check Page posts, or handle comments.

4· 4.1k·11 current·11 all-time
by@longmaba
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The declared purpose is Facebook Page management via the Graph API — the core CLI and auth scripts align with that. However, two included scripts (x_digest_collect.js and x_digest_to_fb.js) scrape X (Twitter) using local X cookies and automatically post digests to Facebook. The high-level description and SKILL.md do not mention this cross-posting feature or the extra credentials it needs, so the bundle contains functionality beyond the stated purpose.
!
Instruction Scope
SKILL.md documents creating a .env with META_APP_ID and META_APP_SECRET and running auth.js to store tokens in ~/.config/fbpage/tokens.json, but the code: (a) actually loads .env from the skill directory, and (b) writes tokens to SKILL_DIR/tokens.json (not ~/.config). SKILL.md also omits any mention of the X scraping scripts and their required env vars (AUTH_TOKEN, CT0). This mismatch could lead to unintentional credential exposure or accidental execution of the X-related automation.
Install Mechanism
No remote downloads or opaque installers are present. The package is instruction-only with a package.json and standard npm dependencies (commander, dotenv). Installation requires running npm install in the scripts directory — standard but requires Node >= 18 as per dependency engines.
!
Credentials
Metadata declares no required env vars, but the code requires META_APP_ID and META_APP_SECRET in .env for Facebook OAuth, and the X-digest scripts require AUTH_TOKEN and CT0 (X cookies). Requesting X cookie values is unrelated to basic Facebook Page management. The skill also expects long-lived Facebook tokens and will persist them to disk; these credentials are sensitive and the skill does not declare them in registry metadata.
Persistence & Privilege
always:false and user-invocable:true (normal). The skill writes tokens to disk (tokens.json in the skill directory per code) and creates temporary images in /tmp when building digests. The discrepancy between documented token path (~/.config/fbpage/tokens.json) and actual path (SKILL_DIR/tokens.json) is important: token files may end up inside the skill folder, which might be easier for other users or processes to access depending on installation — review file permissions and location before use.
What to consider before installing
This bundle contains legitimate Facebook Graph API tooling, but also includes extra 'X -> Facebook' digest scripts that require X (Twitter) cookie values (AUTH_TOKEN, CT0) — these cookies are sensitive and unrelated to basic FB page management. Before installing or running: - Verify the source/trustworthiness of the skill (source: unknown). - Expect to provide META_APP_ID and META_APP_SECRET in a .env (the registry metadata did not list these). - If you do not want X scraping, delete or avoid running x_digest_collect.js / x_digest_to_fb.js; they call a local 'bird' CLI and require AUTH_TOKEN/CT0 env vars. - Confirm where tokens are stored: code writes tokens.json in the skill directory (SKILL_DIR/tokens.json) with 0600 perms, but SKILL.md claims ~/.config/fbpage/tokens.json — fix this discrepancy or move tokens to a secure location you control. - Limit app permissions and use testing roles until you confirm behavior. Consider running in an isolated environment (VM/container) and inspect scripts before providing credentials. - If unsure, do not provide your X cookies or Facebook app secret, and request the publisher clarify the intended behavior and correct the documentation.

Like a lobster shell, security has layers — review code before you run it.

latestvk970kb20bab63wz3bn3pmfk3en80azbz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments