ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Facebook Graph API Skill (Secure)

OpenClaw skill for Facebook Graph API workflows focused on Pages posting, comments, and Page management using direct HTTPS requests.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 36 · 0 current installs · 0 all-time installs
by@kevinkom-byte
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name, description, and SKILL.md all describe Page posting, comment moderation, and webhook handling — and the requested credentials (FB_APP_ID, FB_APP_SECRET, FB_PAGE_ID, FB_ACCESS_TOKEN) are reasonable for that purpose. However, top-level registry metadata in the submission summary claims no required env vars while _meta.json and SKILL.md declare the sensitive env vars, and the _meta.json ownerId/slug/version differ from the registry metadata — this inconsistency weakens trust in the package provenance.
Instruction Scope
SKILL.md and the reference documents provide concrete HTTP request templates, webhook validation guidance, and token handling best practices. The instructions do not direct the agent to read unrelated system files or external endpoints beyond Facebook Graph API, nor do they instruct exfiltration of secrets. They explicitly warn not to log tokens and to validate signatures.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to execute. That minimizes installation risk — nothing is downloaded or written by an installer.
!
Credentials
The set of environment variables requested (App ID, App Secret, Page ID, Page access token) is appropriate and proportionate for the described functionality. The concern stems from metadata inconsistencies: the provided summary shows 'Required env vars: none', while both SKILL.md and _meta.json require sensitive env vars and declare FB_ACCESS_TOKEN as primaryEnv. Incoherent packaging increases the risk that the skill was repackaged or tampered with, which matters because the skill asks for high-sensitivity secrets.
Persistence & Privilege
The skill does not request always:true and is user-invocable; autonomous invocation is allowed (platform default). It does not request system-level persistence or modify other skills' configs.
What to consider before installing
The skill's content appears to legitimately describe Facebook Page operations and correctly requests the Page-related secrets it needs. However, there are packaging/metadata mismatches (ownerId, slug, version, and a contradiction about which env vars are required) that reduce confidence in provenance. Before installing: 1) Verify the skill's publisher/owner and origin (do not install if the source is unknown or mismatched). 2) Prefer providing only a Page-scoped access token with minimal scopes (pages_manage_posts/pages_manage_engagement) rather than long-lived app secrets where possible; use short-lived or ephemeral credentials and a secrets manager. 3) Test the skill in an isolated environment and monitor network traffic to confirm it only communicates with graph.facebook.com. 4) If you must supply FB_APP_SECRET, keep it in a vault and rotate it after initial testing. 5) If the metadata inconsistencies persist or the publisher cannot explain them, treat the package as untrusted and avoid installing it.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.2
Download zip
latestvk97amvenkey1tnkq3nwzxh478983vgz2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Facebook Graph API Skill (Advanced)

Purpose

Provide a production-oriented guide for building Facebook Graph API workflows for Pages: publishing posts, managing comments, and operating Page content safely using direct HTTPS calls.

Best fit

  • You need Page posting and comment workflows.
  • You want a professional command design and safe operational guidance.
  • You prefer direct HTTP requests rather than SDKs.

Not a fit

  • You need advanced ads or marketing APIs.
  • You must use complex browser-based OAuth flows.

Quick orientation

  • Read references/graph-api-overview.md for base URLs, versions, and request patterns.
  • Read references/page-posting.md for Page publishing workflows and fields.
  • Read references/comments-moderation.md for comment actions and moderation flows.
  • Read references/permissions-and-tokens.md for access types and scope guidance.
  • Read references/webhooks.md for subscriptions and verification steps.
  • Read references/http-request-templates.md for concrete HTTP request payloads.

Required inputs

  • Facebook App ID and App Secret.
  • Target Page ID(s).
  • Token strategy: user token → Page access token.
  • Required permissions and review status.

Expected output

  • A clear Page workflow plan, permissions checklist, and operational guardrails.

Operational notes

  • Use least-privilege permissions.
  • Handle rate limits and retries.
  • Log minimal identifiers only.

Security notes

  • Never log tokens or app secrets.
  • Validate webhook signatures.

Credentials & Secret Management

This skill requires the following environment variables to be set:

  • FB_APP_ID – Your Facebook App ID.
  • FB_APP_SECRET – Your Facebook App Secret (highly sensitive).
  • FB_PAGE_ID – The target Facebook Page ID.
  • FB_ACCESS_TOKEN – A Page access token with sufficient permissions.

Best practices:

  • Store secrets in a secure vault or environment manager; do not hardcode.
  • Use different tokens for development and production.
  • Rotate tokens periodically and after any suspected compromise.
  • Restrict App Secret access to minimal personnel.

Incident Response

If a token or secret is suspected to be leaked:

  1. Immediately revoke the token in the Facebook Developer Dashboard.
  2. Generate a new Page access token.
  3. Rotate the App Secret if necessary.
  4. Review logs for unauthorized usage.

Authentication

All Graph API calls must include a valid access token either as a query parameter access_token or in the Authorization: Bearer <token> header. See references/http-request-templates.md for examples.

Additional References

  • references/security-and-secrets.md – Detailed security guidelines.
  • references/permissions-and-tokens.md now includes environment variable requirements.
  • references/http-request-templates.md includes authentication patterns.

Files

9 total
Select a file
Select a file to preview.

Comments

Loading comments…