ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clawhub Skill Lite

v1.1.0

Facebook Page AI management — 9 business types, 37 ready-made skills for auto-reply, posting, bookings, and more

0· 22·0 current·0 all-time
byVik@proship1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill name and description promise Facebook Page management (auto-reply, posting, bookings, analytics) but the package declares no credentials, no API endpoints, and no runtime instructions that would enable the agent to interact with Facebook. The only integration guidance is to visit an external website for OAuth, which leaves unclear how the agent obtains or uses any access tokens.
!
Instruction Scope
SKILL.md contains marketing copy and a high-level explanation but no concrete runtime steps for the agent (no API calls, commands, or token-handling instructions). It does not direct the agent to read any files/env vars, nor does it specify how to use credentials obtained via the external site — so the instructions do not actually implement the described capabilities.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so there is no installer or downloaded code to evaluate. That minimizes direct install risk but also means there's nothing here to perform the integration.
!
Credentials
The skill declares no required environment variables or primary credential even though Facebook Page management would normally require OAuth tokens or API keys. Relying on an external web onboarding flow is plausible, but the SKILL.md does not explain how tokens are transferred, stored, or scoped for the agent — a mismatch that should be clarified before trusting the skill.
Persistence & Privilege
The skill does not request persistent presence (always:false) and does not indicate it modifies agent/system-wide settings. There is no evidence here of elevated privileges requested via the skill package itself.
What to consider before installing
This package appears to be a marketing/placeholder entry rather than a working integration. Before installing or enabling it: (1) ask the publisher for concrete runtime documentation showing how OAuth tokens from pageclaw.onechat.ai are made available to the agent (where tokens are stored, how long they last, what scopes are requested); (2) verify the external site, privacy policy, and OAuth consent screens and review the exact permissions you'll grant Meta; (3) prefer skills that declare required credentials and provide explicit API-call examples so you can audit what the agent will do; (4) don't assume your Facebook tokens will remain under your control just because the SKILL.md claims encryption — ask for technical details or a whitepaper. If you rely on automatic page management, require an explicit security review and test with a non-production Page first.

Like a lobster shell, security has layers — review code before you run it.

latestvk977ay5s5c93rmgjyteqqjerzx847b7k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments