Facebook Page Manager 1.0.0
WarnAudited by ClawScan on May 10, 2026.
Overview
The Facebook Page management functions are mostly coherent, but the package also contains undisclosed X/Twitter-to-Facebook digest scripts that use X cookies, an external command, and Facebook Page tokens to publish posts.
Review this skill carefully before installing. The basic Facebook Page manager needs powerful Page permissions, which may be acceptable if you intend to post and moderate content. However, the package also includes hidden X/Twitter digest scripts that are not described in SKILL.md; remove them or do not provide AUTH_TOKEN/CT0 unless you explicitly want that workflow. Use a test Page first and require manual confirmation before any post, delete, hide, or reply action.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and using the skill can let the agent publish or remove Facebook Page content and moderate comments.
The skill asks for permissions that can create, edit, delete, hide, and reply to public Page content. This is purpose-aligned but high-impact account authority.
- `pages_manage_posts` - đăng/sửa/xoá bài - `pages_manage_engagement` - quản lý comments
Use a dedicated Meta app/test Page where possible, grant only needed permissions, and review each post/delete/moderation action before running it.
A user expecting only Facebook Page management may not realize the package contains a separate workflow for publishing Clawdbot/Moltbot promotional digests.
This X-to-Facebook digest workflow is not disclosed in the skill description, setup, or command list, making the package materially under-described.
* X -> Facebook Page digest poster * - Searches X for Clawdbot + Moltbot * - Posts to a Facebook Page as a photo post with caption + links
Remove these scripts or clearly document them as an optional feature with explicit user approval before any publishing.
Providing these cookies/tokens could let the script act with both your X session context and Facebook Page publishing authority.
The hidden digest workflow requires X session cookies and Facebook Page tokens even though X account access is outside the stated Facebook Page manager purpose and is not declared in metadata.
* Requirements: * - X cookies in env: AUTH_TOKEN, CT0 * - FB tokens.json at ../tokens.json
Do not provide AUTH_TOKEN or CT0 to this skill unless you intentionally want the X digest feature; prefer removing the digest scripts.
If the wrong 'bird' binary is installed or found on PATH, it could receive sensitive environment variables and X cookies.
The script executes an undeclared external binary named 'bird' and passes it the process environment plus X authentication cookies.
const out = execFileSync("bird", args, {
env: {
...process.env,
AUTH_TOKEN: requireEnv("AUTH_TOKEN"),
CT0: requireEnv("CT0"),Declare and pin the exact dependency, avoid passing the full environment, and require explicit user installation/approval before running external binaries.
Your Facebook Page could publish automatically selected content without a human reviewing the final post.
The hidden digest script can publish directly to a Facebook Page using stored Page tokens after automatically building a caption.
result = await fbUploadPhoto(pageId, pageInfo.token, imgPath, caption);
Require a dry-run preview and explicit confirmation before any public post is created.
Misleading, spammy, or attacker-influenced X content could be propagated to the user’s Facebook audience.
Untrusted X search results are selected and then used to build content for a public Facebook Page post.
const tweets = [
...birdSearchJson(q1, 12),
...birdSearchJson(q2, 12),
];
const top = pickTop(tweets, 6);Add source validation, content filtering, and human review before reposting third-party content.