Facebook Page Messenger
ReviewAudited by ClawScan on May 14, 2026.
Overview
This appears to be a legitimate Facebook Page Messenger integration, but it needs Page credentials and can let OpenClaw read and reply to Page DMs.
Install this only if you want OpenClaw to handle Facebook Page Messenger DMs for your Page. Protect the Page access token, app secret, and verify token; keep dmPolicy on pairing or allowlist unless you intentionally want any Facebook user who messages the Page to reach the assistant.
Publisher note
This outbound messaging capability is intentional and central to the plugin. The plugin sends Facebook Page Messenger replies only through the Page access token configured by the OpenClaw operator. It is scoped to Facebook Page Messenger DMs and page-scoped user IDs. The plugin includes sender policy controls through dmPolicy and allowFrom, supports pairing/allowlist modes, validates Meta webhook signatures, and stores no built-in credentials. Users should keep dmPolicy set to pairing or allowlist unless they intentionally want any Facebook user who messages the Page to reach the assistant.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured, OpenClaw can use the Page token and app credentials to operate the Facebook Page Messenger channel.
These are sensitive Facebook Page/Meta credentials needed for the plugin to authenticate webhooks and send Page Messenger messages.
pageAccessToken: "<FACEBOOK_PAGE_ACCESS_TOKEN>", appSecret: "<FACEBOOK_APP_SECRET>", verifyToken: "<FACEBOOK_VERIFY_TOKEN>"
Use protected secret storage or environment variables, limit Page token scope where possible, and rotate/revoke credentials when removing the plugin.
Allowed agent replies or explicit sends can message Facebook users as the Page.
The plugin sends outbound Messenger messages through Meta Graph API using the configured Page access token.
method: "POST" ... `https://graph.facebook.com/${version}/${encodeURIComponent(account.pageId)}/messages` ... message: { text }Keep dmPolicy set to pairing or allowlist unless you intentionally want broader access, and monitor what the agent is allowed to send.
Facebook users who are allowed by the policy can influence the assistant conversation and may send sensitive content into OpenClaw.
Inbound Facebook Messenger text is routed into an OpenClaw agent turn, so external Facebook senders can supply agent input when permitted by the channel policy.
BodyForAgent: text, RawBody: text ... await core.channel.turn.run({ channel: FACEBOOK_CHANNEL_ID, accountId: route.accountId, raw: params.eventUse pairing or allowlists for Page DMs, verify your webhook configuration, and avoid open mode unless any Page messenger should be able to reach the assistant.
Facebook DM content, sender IDs, and conversation context may be retained in OpenClaw session history according to the host runtime's storage behavior.
The channel records inbound Facebook DM session context through OpenClaw's session runtime.
recordInboundSession: core.channel.session.recordInboundSession
Review OpenClaw retention and access controls for channel sessions, especially if Page DMs may contain private user information.