Back to skill
Skillv1.0.7
ClawScan security
tw fashion social manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 26, 2026, 1:25 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's functionality (Meta/IG/FB insights + content advice) matches the included code, but there are notable packaging and instruction inconsistencies — the skill uses multiple secret META_ env vars and hard-coded local paths while declaring no required credentials, so don't run it blindly.
- Guidance
- What to consider before installing or running this skill: - Do not run the provided shell snippet verbatim. It references hard-coded paths on the developer's machine (/Users/shangweilin/...) and a user-specific PYTHONPATH; change these to paths that exist on your system. - The included script requires Meta credentials (META_ACCESS_TOKEN, META_CLIENT_ID, META_CLIENT_SECRET, META_IG_ACCOUNT_ID, PAGE_ID). These are legitimate for fetching FB/IG insights, but the skill metadata does not declare them — ensure you only provide credentials you control and understand the scope of those tokens. - Avoid bulk-exporting an unverified .env file. If you do use a .env, open it and confirm only intended META_ lines exist before exporting. Better: set required META_ variables explicitly in a safe session or use a secrets manager. - Inspect the script locally: it calls only graph.facebook.com endpoints and writes an Excel report under ~/.openclaw/workspace/socialMediaManager/reports. There is no evidence of exfiltration to unknown domains, but verify the full script (the shipped version appears truncated in places) and run it in an isolated environment (container or VM) first. - Rotate tokens after testing if you provided long-lived credentials during evaluation. Prefer scoped Page tokens and follow least privilege (only grant permissions needed for reading insights). If you want, I can: - Point out the exact lines in fetch_insights.py that read secrets and perform token refresh. - Suggest a safer local run command that doesn't reference developer paths and that only sources explicitly-named env vars. - Help craft a minimal .env with only the needed META_ variables and a checklist for safe testing.
Review Dimensions
- Purpose & Capability
- noteThe skill is a Taiwan fashion social/ads manager and includes a Python script that calls the Facebook/Meta Graph API to fetch IG/FB/Threads insights — requiring Meta credentials (access token, client id/secret, page/IG IDs) is coherent with the stated purpose. However, the skill metadata and registry list no required environment variables or primary credential despite the script depending on multiple META_* secrets. This mismatch is a packaging/information integrity issue.
- Instruction Scope
- concernSKILL.md instructs running the included fetch_insights.py and installing Python packages (requests, pandas, openpyxl) — which is expected. But the execution example exports META_ variables by reading a hard-coded path (/Users/shangweilin/projects/openclaw/.env) and sets a hard-coded PYTHONPATH (/Users/shangweilin/Library/Python/3.9/...). These instructions reference a specific developer filesystem and encourage bulk-exporting env vars from a .env file (even if limited to META_ lines). That is fragile and could accidentally pull sensitive variables from an unexpected .env; the instruction scope therefore goes beyond a simple 'run this script' and is unsafe to follow verbatim on an unfamiliar machine.
- Install Mechanism
- okThere is no install spec and this is instruction-plus-script only, which minimizes supply-chain risk. The script will write reports under ~/.openclaw/workspace/socialMediaManager/reports, which is reasonable for a reporting tool. No external arbitrary downloads or extract steps are present.
- Credentials
- concernThe code reads multiple secret environment variables (META_ACCESS_TOKEN, META_CLIENT_ID, META_CLIENT_SECRET, META_IG_ACCOUNT_ID, PAGE_ID) which are required to access and refresh tokens for the Meta Graph API. Those env vars are proportional to the declared capability, but the skill's manifest fails to declare them — creating a visibility gap. Additionally, SKILL.md's example exports env vars from a hard-coded .env path which could inadvertently expose other local secrets if mis-edited; the script also attempts token refresh using client_secret, so possession of those secrets grants significant access to the user's Meta assets.
- Persistence & Privilege
- okThe skill is not always-active and is user-invocable; it does not request persistent platform privileges. It writes output to a skill-specific reports directory under the user's home but does not attempt to modify other skills or global agent settings. Autonomous invocation (disable-model-invocation=false) is the platform default and not flagged by itself.