ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

qwe

v1.0.0

Facebook Publisher Skill (Automate Page Posts via Graph API)

0· 186·0 current·0 all-time
byPhan Văn Năng@yunneetoichoi

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for yunneetoichoi/qwe.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "qwe" (yunneetoichoi/qwe) from ClawHub.
Skill page: https://clawhub.ai/yunneetoichoi/qwe
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: FB_APP_ID, FB_APP_SECRET, FB_PAGE_ID, FB_PAGE_ACCESS_TOKEN
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install qwe

ClawHub CLI

Package manager switcher

npx clawhub@latest install qwe
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and code implement Facebook Page posting and token exchange, which matches the declared purpose. However config.py's validate() lists unrelated required env vars (OPENAI_API_KEY and APIFY_API_TOKEN) in addition to Facebook vars. Those services (OpenAI, Apify) are not used anywhere else in the shipped scripts, so requiring them is disproportionate and incoherent with a pure FB publisher skill.
!
Instruction Scope
SKILL.md instructs interactive token flow and running provided scripts, which aligns with the code. But agents/fb_token_helper.py instructs users to select a specific App ID (4348763312075291) in Graph Explorer — this encourages using an app that may not be the user's and is a red flag. The helper prints long-lived tokens to the console and writes them to a local JSON file (fb_tokens_output.json), contradicting the SKILL.md's own 'Never log tokens' guidance and increasing leak risk.
Install Mechanism
No install spec; this is an instruction-and-code-only skill. Nothing is downloaded or installed automatically, which lowers supply-chain risk.
!
Credentials
SKILL.md declares FB_APP_ID, FB_APP_SECRET, FB_PAGE_ID, FB_PAGE_ACCESS_TOKEN which are appropriate. But config.py also reads many other env vars (OPENAI_API_KEY, APIFY_API_TOKEN, FB_CLIENT_TOKEN, FB_USER_ACCESS_TOKEN) and its validate() will raise if OPENAI_API_KEY and APIFY_API_TOKEN are not set — these appear unrelated to Facebook posting and are disproportionate. The skill asks users to paste tokens interactively and then prints/saves them, which is unnecessary exposure of secrets.
Persistence & Privilege
The skill does not request special platform privileges and always:false. However fb_token_helper.py persists tokens to fb_tokens_output.json and suggests storing tokens in .env; both create local persistence that can be accidentally committed or accessed by other processes. The skill does not modify other skills or system-wide settings.
What to consider before installing
This skill largely does what it claims (posting to Facebook Pages), but there are several red flags you should address before running it: 1) config.validate() requires OPENAI_API_KEY and APIFY_API_TOKEN even though those services are unused — remove or understand why they are required. 2) The token helper explicitly tells you to pick a specific App ID in Graph Explorer (4348763312075291) — do not use someone else's app; generate tokens with your own app and app secret. 3) The helper prints long-lived tokens to the console and writes them to fb_tokens_output.json; remove printing and file writes or ensure you run in an isolated environment and never commit saved token files. 4) If you plan to run these scripts, run them in an isolated VM/container, review and remove any hardcoded sample values, and avoid pasting production secrets until you confirm the code has been cleaned. Given these issues, proceed only after code cleanup or further verification.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Environment variables
FB_APP_IDrequired
FB_APP_SECRETrequired
FB_PAGE_IDrequired
FB_PAGE_ACCESS_TOKENrequired
latestvk97d3ffedf4d2a4njxv4nbf2ph836gj6
186downloads
0stars
1versions
Updated 21h ago
v1.0.0
MIT-0
Phan Văn Năng@yunneetoichoi
latest
Download

Facebook Graph API Skill (Advanced)

Purpose

Production-oriented guide for building Facebook Graph API workflows for Pages: publishing posts (text + image), managing tokens, and operating Page content safely using direct HTTPS calls.

Best fit

  • Page posting automation with images (DALL-E generated or external URL)
  • Token management (short-lived → long-lived → page token)
  • Retry-safe, rate-limit-aware production pipelines

Not a fit

  • Personal profile posting (not supported by Graph API for third-party apps)
  • Ads / Marketing API workflows
  • Browser-based OAuth flows

Quick orientation

agents/fb_token_helper.py     ← Get & exchange tokens (run this first!)
agents/fb_publisher_agent.py  ← Post text / images to Page
config.py                     ← All env vars
test_fb_connection.py         ← Verify token is working

Token Flow

Short-lived User Token (1-2h)
        ↓  GET /oauth/access_token?grant_type=fb_exchange_token
Long-lived User Token (60 days)
        ↓  GET /me/accounts
Page Access Token (never expires*)

*Until user changes password or revokes app.

Required Environment Variables

FB_APP_ID=...           # From Meta for Developers
FB_APP_SECRET=...       # App secret
FB_PAGE_ID=...          # Target Fanpage ID
FB_PAGE_ACCESS_TOKEN=... # From fb_token_helper.py

Key API Endpoints

Post text

POST /v21.0/{page_id}/feed
  message=...
  access_token={page_token}

Upload photo (unpublished)

POST /v21.0/{page_id}/photos
  url={image_url}
  published=false
  access_token={page_token}
→ Returns: { "id": "PHOTO_ID" }

Post with photo

POST /v21.0/{page_id}/feed
  message=...
  attached_media[0]={"media_fbid":"PHOTO_ID"}
  access_token={page_token}

Scheduled post

POST /v21.0/{page_id}/feed
  message=...
  scheduled_publish_time={unix_timestamp}
  published=false
  access_token={page_token}

Required Permissions

PermissionPurpose
pages_manage_postsCreate/edit posts
pages_read_engagementRead reactions, comments
pages_show_listList managed pages
public_profileBasic user identity

Rate Limits

  • 200 calls/hour/user token
  • Implement retry with exponential backoff (see fb_publisher_agent.py)
  • POST 4-5 times/day max per Page for safety

Security

  • Never log tokens or app secrets
  • Store all secrets in .env (ignored by git)
  • Validate webhook signatures if using webhooks
  • Monitor token validity daily with a cron job

Comments

Loading comments...