ClawHub

Facebook Page Manager 1.0.0

PassAudited by VirusTotal on May 11, 2026.

Findings (1)

The skill is classified as suspicious due to a critical arbitrary command execution vulnerability. The scripts `scripts/x_digest_collect.js` and `scripts/x_digest_to_fb.js` use `child_process.execFileSync("bird", ...)` to execute an external, unmanaged binary named 'bird'. This binary is not declared as a dependency, and sensitive environment variables (AUTH_TOKEN, CT0 for X/Twitter) are passed to it, creating a significant RCE risk and potential for credential theft if the 'bird' binary is compromised or manipulated.