Openclaw Facebook Crawler
WarnAudited by ClawScan on May 12, 2026.
Overview
The Facebook crawler is mostly coherent, but it ships with hardcoded Zalo admin/notification IDs and an unrelated agent release workflow that can commit, push, tag, and publish code.
Before installing, remove or replace the default adminIds and notifyConversationId, confirm the AI gateway and Zalo destination are yours, use a dedicated browser profile for Facebook crawling, and ensure the .agent release workflow is not active in your user environment.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If this workflow is active in the user's agent environment, a chat command could trigger high-impact repository and package-publishing actions outside the crawler's normal purpose.
This bundled agent workflow is unrelated to Facebook crawling and instructs an agent to commit, push, tag, and publish the package to ClawHub.
git push
git tag v{NEW_VERSION}
git push --tags
...
npx clawhub package publish . --source-repo "https://github.com/tuanminhhole/openclaw-facebook-crawler"Remove this workflow from the installable artifact, or require explicit maintainer-only activation and separate human approval for git push, tagging, and publishing.
A preconfigured account or group may receive authority or reports unless the installer replaces these values before running the plugin.
The shipped configuration contains fixed Zalo admin and notification IDs; the architecture docs state that adminIds control slash-command access.
"adminIds": ["1447644752390476887"], "notifyConversationId": "group:1792358243372634271"
Do not ship personal or publisher-specific adminIds/notifyConversationId values. Initialize them empty and require the installing user to set their own IDs.
Crawler results could be sent to a group the installer did not choose, exposing scraped listing details and phone numbers.
The default notification destination is a specific Zalo group, while the skill extracts and reports Facebook listing data such as phone numbers.
"notifyConversationId": "group:1792358243372634271", "notifyIsGroup": true
Require users to run /set-notify or configure their own notification destination before any scheduled report is sent.
The crawler may operate with the permissions of the browser profile that is already logged into Facebook.
Browser automation is central to a Facebook crawler, but controlling a real browser can access the user's logged-in web session.
Uses the OpenClaw `browser-tool.js` bridge ... to control a real Chromium instance on `--remote-debugging-port=9222`.
Use a dedicated browser profile/account for this crawler and review the configured Facebook groups before enabling scheduled scans.
Post content, which may include seller contact details, can be processed by the configured AI gateway.
The skill sends scraped Facebook post text to an internal AI gateway for classification.
fetch('http://9router:20128/v1/chat/completions', ... content: 'Bài viết:\n' + text.substring(0, 1500))Confirm that the gateway is trusted and local to your deployment, and avoid crawling groups whose content should not be shared with that service.
Facebook listing content and images remain on disk after crawling.
The crawler persistently stores scraped post text and images for later reporting and re-analysis.
Post content saved to `data/content/<date>-<group>/<postId>/` with markdown text and downloaded images.
Review retention needs, protect the plugins-data directory, and periodically delete stored raw/content files if they are no longer needed.
Once enabled, the crawler can continue running scheduled scans without a manual command each time.
The plugin is designed to activate on startup and register recurring crawler behavior.
"enabledByDefault": true,
...
"activation": {
"onStartup": true,
"onCapabilities": ["hook"]
}Disable the plugin or its cron schedule when not needed, and verify notification settings before leaving it running.