Facebook Page
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill is transparent about managing a Facebook Page, but it deserves review because it can use a long-lived Page token to publish, delete, and moderate public content through broad Graph API calls without explicit built-in confirmation limits.
Install only if you want an agent to manage your Facebook Page. Use the minimum Meta permissions needed, remove the app secret after setup, lock down the credential file, rotate tokens when needed, and manually confirm any action that posts, deletes, hides, schedules, or publishes content.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent misunderstands a request or is prompted carelessly, it could publish, delete, hide, or moderate Facebook Page content using the user’s Page token.
The skill exposes broad raw Meta Graph API mutation patterns, including destructive and public-facing Page actions, without an artifact-backed confirmation gate or tight allowlist.
Constructs and executes Meta Graph API calls inline based on what the user wants... Delete a post | DELETE | `/{post-id}` ... Hide comment ... Delete comment ... Publish draft postUse this only with least-privilege Facebook permissions, verify post/comment IDs and content before execution, and require an explicit confirmation step for posting, deleting, hiding, scheduling, or publishing.
Anyone who gains access to this credential file may be able to manage the connected Facebook Page within the granted permissions.
The credential file and sensitive fields are explicitly declared and are expected for a Facebook Page integration, but they grant account-level authority, especially the long-lived Page token.
"primaryCredential": { "type": "file", "path": "~/.config/fb-page/credentials.json", "fields": [ "FB_PAGE_TOKEN", "FB_PAGE_ID", "FB_APP_ID", "FB_APP_SECRET" ], "sensitive": true }Remove FB_APP_SECRET after setup if not needed, restrict file permissions, grant only required Meta permissions, and rotate the Page token if the host or file may have been exposed.
A user may underestimate the credential and account-access implications unless they read the full skill documentation.
The registry summary under-declares the credential requirement even though SKILL.md and _meta.json disclose the credential file; users relying only on the summary may miss that a sensitive token is required.
Required config paths: none ... Primary credential: none
Treat the full README/SKILL.md and _meta.json credential description as authoritative, and verify the token scope before use.