Back to plugin

Security audit

Facebook Messenger

Security checks across malware telemetry and agentic risk

Overview

This package behaves like a disclosed Facebook Messenger channel plugin, with expected use of Meta credentials, webhooks, and Graph API calls.

Install only if you intend to connect an OpenClaw agent to a Facebook Page. Treat the Meta Page token and App Secret as sensitive, review the default open DM policy, and expect the plugin to cache a derived Page token and subscribe the Page webhook automatically.

VirusTotal

61/61 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.potential_exfiltration

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/index.js:37
Evidence
const env = params.env ?? process.env;

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/setup-entry.js:36
Evidence
const env = params.env ?? process.env;

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
dist/index.js:242
Evidence
const raw = await fs.readFile(credentialPath(accountId), "utf8");

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
dist/setup-entry.js:155
Evidence
const raw = await fs.readFile(credentialPath(accountId), "utf8");