Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Facebook Scraper
v0.1.2Discover and scrape public Facebook pages and groups by location and category with browser simulation and export data in JSON or CSV formats.
⭐ 6· 988·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md declares runtime requirements (inside its front-matter) of python3 and chromium and describes Playwright-style browser scraping, fingerprinting, and downloading thumbnails. The registry metadata lists no required binaries, no env vars, and no config paths — a clear mismatch. The declared capabilities (browser scraping, proxies, credentialed logins) would legitimately require those binaries and configuration, so the absence in the registry is an incoherence.
Instruction Scope
The runtime instructions direct the agent to discover and scrape Facebook pages/groups, download thumbnails, persist queue/output files in data/queue and data/output, and handle Facebook login flows and verification codes. They also recommend using multiple Facebook accounts and residential proxies. The SKILL.md therefore expects handling of sensitive credentials and persistent local storage. The skill does not limit or document how credentials are provided or protected, and the registry did not declare those inputs.
Install Mechanism
There is no install spec in the registry (instruction-only). However, the text implies non-trivial dependencies (Python, Playwright, Chromium, stealth scripts) and filesystem layout. The absence of an install mechanism means there is no authoritative, auditable way the agent will obtain or verify those dependencies — increasing risk and operational ambiguity.
Credentials
Although the skill's operation logically requires Facebook account credentials (for login flows), optional Google API key/Search Engine ID, and possibly proxy credentials, the registry declares no required environment variables or primary credential. This omission is disproportionate: the skill asks users to supply multiple sensitive secrets (accounts, API keys, proxy auth) in prose but does not declare them or explain storage/usage, which is a security and privacy risk.
Persistence & Privilege
The skill does not request always:true and is user-invocable (defaults). It will create local files (data/queue, data/output, thumbnails) according to SKILL.md; that is expected for a scraper and is appropriately scoped. There is no indication it modifies other skills or system-wide agent settings.
What to consider before installing
This skill describes browser-based scraping that will likely require installing Python/Playwright/Chromium, providing Facebook account credentials (and possibly multiple accounts), Google API keys (optional), and proxy credentials — none of which are declared in the registry. Before installing or using it, ask the publisher for: (1) source code or a reproducible install script; (2) an explicit list of environment variables and how credentials are supplied/stored; (3) a reliable install spec that pins packages and explains where files are written; and (4) an explanation of how authentication/verification flows are handled safely. Treat the skill as potentially privacy-invasive: only run it in an isolated environment (VM/container) and avoid providing real personal or high-privilege credentials until you can audit the code. Also consider legal/terms-of-service risks: automated scraping of Facebook and using multiple accounts or residential proxies can violate Facebook’s terms and local law.Like a lobster shell, security has layers — review code before you run it.
latestvk9754j3xm42easvta1wwhr5bwd81xnx6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.