ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Facebookadvanced

v1.0.4

OpenClaw skill for posting to Facebook Pages from the terminal

0· 161·1 current·1 all-time
by@phuongsky

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for phuongsky/facebookadvanced.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Facebookadvanced" (phuongsky/facebookadvanced) from ClawHub.
Skill page: https://clawhub.ai/phuongsky/facebookadvanced
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install facebookadvanced

ClawHub CLI

Package manager switcher

npx clawhub@latest install facebookadvanced
Security Scan
Capability signals
Requires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the code: the JavaScript files implement posting, scheduling, listing drafts, and test flows against graph.facebook.com. Requested capabilities (posting, scheduling, deleting) are coherent with a Facebook Pages posting skill. However, the SKILL.md and code disagree about config filenames and CLI names (SKILL.md references facebook-config.json and a Windows path, many code files read/write facebook-posting.json in the user workspace), which is inconsistent and could confuse users.
!
Instruction Scope
SKILL.md instructs users to place a facebook-config.json in the skill directory or shows a Windows hard-coded path (C:\Users\OS\.openclaw\workspace\facebook-config.json), but most code reads/writes facebook-posting.json from the OpenClaw workspace (resolved from HOME/USERPROFILE or OPENCLAW_WORKSPACE). CLI binary names also differ between docs and code (e.g., 'openclaw-facebook-posting' vs 'openclaw fb-post-*'). The README also explicitly warns that access tokens are stored in plain text; the code persists the token to disk without encryption. These mismatches are scope/integration errors that could cause accidental token exposure or misconfiguration.
Install Mechanism
Registry metadata lists no install spec (instruction-only), but the package includes many code files (index.js, commands/*.js, package.json). There's no provided installation script in the registry metadata — the SKILL.md suggests npm global install and linking. Because there's no automated install spec, nothing will be dropped by the platform automatically, but installing the package with npm (per the README) will write files to the environment; verify package.json and postinstall hooks before running npm install.
!
Credentials
The skill declares no required environment variables or primary credential, and it asks the user to supply a Facebook Page access token via the CLI (reasonable). It stores the access token in a plaintext JSON file in the user's workspace (facebook-posting.json), which is explicitly called out in the SKILL.md. The code also respects OPENCLAW_WORKSPACE if set, but that env var is not declared in metadata. Storing long-lived tokens in plaintext is disproportionate risk if users don't secure the workspace. There are no other unrelated credentials requested.
Persistence & Privilege
The skill does not request always:true or any elevated platform privileges. It does write a config file to the user workspace (normal for a CLI tool). The skill can be invoked autonomously by the agent (platform default), but that is not an additional red flag here.
What to consider before installing
What to check before installing or running this skill: - Do not paste your Page access token into a public place. The skill stores the token unencrypted in a JSON file in your OpenClaw workspace (facebook-posting.json per the code, but SKILL.md refers to facebook-config.json and a Windows path). Clarify which file the tool will actually read/write and secure that file (restrict filesystem permissions) or use environment variables instead. - The README and code disagree on filenames and CLI names. Confirm which filename the installed package will use (facebook-posting.json vs facebook-config.json) and where it will be written. If you follow the README but the code reads a different path, your token may be left in an unexpected location. - Review package.json and any npm install hooks before running npm install -g or linking the package. Because the registry metadata did not include an automated install spec, running npm will actually execute whatever is in package.json (postinstall scripts could be present in the omitted files). - The code only talks to graph.facebook.com, which is expected. Still, because some files were truncated in the provided dump, provide the remaining files (full package.json and any omitted scripts) for a full review — the current judgment assumes the omitted files don't contain unexpected network endpoints or obfuscated code. - Prefer using short-lived tokens or environment variables (and platform secrets storage) rather than plaintext files. If you must use a file, set restrictive file permissions and remove tokens when not needed. - If you want to proceed: run the tool in a sandbox or throwaway account first to confirm behavior, and verify that test-post/deletion behavior is acceptable (the test command creates and attempts to delete a post). What would change this assessment to 'benign': - SKILL.md fixed to match the actual config filename/path and CLI names, no postinstall hooks in package.json, and explicit guidance to use environment-based secrets or encrypted storage. Also provide the omitted files for review showing no other network targets or obfuscated code. What would increase severity to 'malicious': - Discovery of postinstall scripts or other omitted files that contact non-Facebook endpoints, exfiltrate the access token, or contain obfuscated code. If you want, provide the remaining files (complete package.json and the omitted JS files) and I will re-scan them.
commands/fb-post-setup.js:32
Environment variable access combined with network send.
!
commands/post-schedule-list.js:60
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cqhpgyy9y23g6p2tambwj9n85h302
161downloads
0stars
5versions
Updated 2d ago
v1.0.4
MIT-0
@phuongsky
latest
Download

Facebook Page Posting Skill

A command-line skill for posting to Facebook Pages via the Graph API.

Overview

This skill provides CLI commands to:

  • Post text and images to Facebook Pages
  • Schedule posts for later publication
  • Manage scheduled posts
  • Test connections and verify credentials

Installation

The skill is installed as an npm package:

npm install -g clawhub
clawhub install facebookadvanced

cd .\facebook-advanced
npm install
npm link

Or run directly from the workspace:

node C:\Users\OS\.openclaw\workspace\skills\facebook-advanced\index.js <command>

Usage

OPTIONAL - create facebook-config.json in the same directory as the skill:

{
  "page_id": "",
  "access_token":"",
  "page_name": "",
}

Setup

First, configure your Facebook Page credentials:

openclaw-facebook-posting fb-post-setup <page_id> <access_token> [page_name]

Getting a Page Access Token:

  1. Go to Facebook Developer Console
  2. Create an app (if needed)
  3. Add "Graph API" product
  4. Generate a Page Access Token with permissions:
    • pages_manage_posts - Create and manage posts
    • pages_read_engagement - Read page content

Posting

Text Post:

openclaw-facebook-posting fb-post "Your message here"

Image Post:

openclaw-facebook-posting fb-post-image "Caption" "https://example.com/image.jpg"

Scheduling

Schedule a Post:

openclaw-facebook-posting fb-post-schedule "Tomorrow's post!" "2024-04-20T10:00:00Z"

List Scheduled Posts:

openclaw-facebook-posting fb-post-schedule-list

Delete Scheduled Post:

openclaw-facebook-posting fb-post-schedule-delete <post_id>

Testing

Test Connection:

openclaw-facebook-posting fb-post-test

Show Configuration:

openclaw-facebook-posting fb-config-show

Help

openclaw-facebook-posting --help

Configuration

Configuration is stored in:

C:\Users\OS\.openclaw\workspace\facebook-config.json

Security Note: This file contains your access token. Keep it secure.

Commands Reference

CommandDescription
fb-post-setupConfigure Facebook Page credentials
fb-postPost text to your Page
fb-post-imagePost image with caption
fb-post-scheduleSchedule a post for later
fb-post-schedule-listList scheduled posts
fb-post-schedule-deleteDelete a scheduled post
fb-post-testTest connection and permissions
fb-config-showShow current configuration
--helpShow help message

Troubleshooting

Common Issues

Invalid Access Token:

  • Token expired. Generate a new one and re-run setup.
  • Check token permissions.

Page Not Found:

  • Verify page_id is correct.
  • Ensure token has access to the page.

Permission Denied:

  • Token needs pages_manage_posts permission.
  • Re-generate token with correct permissions.

API References

Security Considerations

  • Access tokens are stored in plain text in the config file
  • Do not share your config file
  • Revoke tokens when no longer needed
  • Use environment variables for sensitive data in production

Development

Project Structure

example-posting/
├── index.js              # Main CLI entry point
├── package.json          # npm package config
├── README.md             # User documentation
├── SKILL.md              # Skill documentation
├── commands/
│   ├── setup.js          # Configuration setup
│   ├── post.js           # Text posting
│   ├── post-image.js     # Image posting
│   ├── post-schedule.js  # Schedule posts
│   ├── post-schedule-list.js  # List scheduled posts
│   ├── post-schedule-delete.js  # Delete scheduled posts
│   ├── post-test.js      # Connection testing
│   ├── config-show.js    # Show configuration
│   └── help.js           # Help message
└── facebook-config.json  # User configuration (created on setup)

Adding New Commands

  1. Create a new file in commands/ directory
  2. Export a function that handles the command logic
  3. Add the command to index.js commands mapping
  4. Update help.js with documentation

Testing

# Test connection
node commands/post-test.js

# Test specific command
node commands/post.js "Test message"

License

MIT

Comments

Loading comments...