SocialClaw CLI
PassAudited by ClawScan on May 10, 2026.
Overview
This skill is a disclosed Social Flow CLI wrapper for Meta operations, with meaningful confirmation guidance for writes, but users should understand it can access and change real Meta business accounts.
Install this only if you trust the @vishalgojha/social-flow CLI. Before use, confirm the active Meta profile, workspace, page, ad account, and WhatsApp account; review every generated command; require explicit confirmation for writes; and use localhost/API-key protections for Gateway or Studio.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user confirms the wrong command, it could affect ad spend, customer messaging, public content, or production automations.
The CLI can perform high-impact Meta actions. The same artifact classifies these as high-risk and requires explicit confirmation, so this is disclosed and purpose-aligned rather than hidden.
Action can create spend, send messages, publish public content, or trigger production automations.
Review account IDs, workspaces, budgets, recipients, and exact commands before confirming any write action; prefer read-only or dry-run commands first.
The skill may operate using the Meta account, business, page, ad account, WhatsApp, or workspace permissions available to the configured CLI profile.
The skill uses authenticated Meta access and token diagnostics through the Social Flow CLI. This is expected for Meta operations, and the artifacts also instruct not to print full tokens.
social auth login --api facebook social auth debug-token social auth status
Use least-privilege Meta scopes and profiles, verify the active profile/workspace before running commands, and avoid sharing raw tokens or secrets.
Installing the skill requires trusting the external npm package that supplies the `social` binary.
The skill relies on an external npm package to provide the executable CLI. This is disclosed and central to the purpose, but the package code is not present in the provided skill artifacts.
node | package: @vishalgojha/social-flow | creates binaries: social
Install from the expected npm/GitHub source, consider pinning or reviewing the package version, and avoid running it in highly privileged environments unless trusted.
A misconfigured Gateway or Studio session could expose Meta operations or account data to other local or network actors.
The artifacts document local Gateway/Studio control-plane workflows and also mention API-key and localhost options. This is purpose-aligned, but users should ensure the gateway is not exposed more broadly than intended.
social gateway --open social studio ... social gateway --host 127.0.0.1 --port 1310 --require-api-key
Bind Gateway to 127.0.0.1, require an API key when available, avoid permissive CORS/network exposure, and close the gateway when finished.