ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Facebook Page

v1.0.16

Facebook Page manager: post, schedule, reply, get insights & more. Requires: powershell/pwsh. Reads ~/.config/fb-page/credentials.json (FB_PAGE_TOKEN, FB_PAG...

2· 619·2 current·2 all-time
byseph@seph1709
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (Facebook Page manager) aligns with requested artifacts: it requires PowerShell and a credentials file containing FB_PAGE_TOKEN and FB_PAGE_ID. No unrelated cloud credentials, other service keys, or unrelated binaries are requested.
Instruction Scope
Runtime instructions are narrowly scoped to: (1) read ~/.config/fb-page/credentials.json, (2) optionally perform a one-time token exchange using FB_APP_ID/FB_APP_SECRET, and (3) construct Invoke-RestMethod calls to graph.facebook.com endpoints. The SKILL.md explicitly limits external calls to graph.facebook.com only. Caution: it instructs storing FB_APP_SECRET in the same credentials file temporarily for token exchange (and to delete it afterward). The skill also includes examples for destructive actions (delete posts/comments) which are legitimate for the stated purpose but warrant user confirmation before execution.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. It only requires that powershell/pwsh be available on the host; nothing is downloaded or written by an install step.
Credentials
No environment variables are required. The declared primary credential is a local file (~/.config/fb-page/credentials.json) containing FB_PAGE_TOKEN and FB_PAGE_ID (required) and optional FB_APP_ID/FB_APP_SECRET for token exchange. This is proportionate to the purpose, but storing long-lived tokens and an app secret on disk is sensitive — the skill documents this and instructs restricting file permissions and deleting the app secret after use.
Persistence & Privilege
always:false (not force-included). disable-model-invocation:false is the normal default (agent may call the skill autonomously). The skill does not request persistent system-wide privileges or modify other skills' configs.
Assessment
This skill appears internally consistent with a Facebook Page manager, but pay attention to provenance and secret handling before installing: - Confirm you trust the skill source (no homepage and unknown source are signals to verify the publisher before use). - The skill requires a Page access token (FB_PAGE_TOKEN) and Page ID stored at ~/.config/fb-page/credentials.json. That file contains sensitive, long-lived credentials — follow the SKILL.md advice: restrict file permissions (chmod 600 / icacls) and do not commit it to version control. - The one-time token exchange uses FB_APP_SECRET; store that only temporarily and delete it afterward as instructed. - Review and grant only the minimal Graph API permissions the skill needs (pages_manage_posts, pages_read_engagement, etc.). - Be aware the skill can perform destructive actions (delete posts/comments). Require explicit confirmation when the agent asks to perform destructive operations. - If you have doubts about provenance, run the skill in an isolated environment or test with a throwaway Page and tokens you can revoke, and rotate tokens immediately after testing.

Like a lobster shell, security has layers — review code before you run it.

latestvk971am703s909sdzvv2q3fpqe9823mcq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

[fb] Clawdis
Any binpowershell, pwsh

Comments