ai agent
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is clearly about Facebook Page automation, but it asks for powerful Facebook credentials and public posting authority without registry disclosure or clear user-approval safeguards.
Install only if you intentionally want an agent to help manage Facebook Page posting. Before use, make sure credentials are stored securely, permissions are least-privilege, every publish or schedule action requires your explicit approval, and any referenced helper scripts are reviewed and trusted.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If misused or exposed, these credentials could allow someone or an automated agent to act on the connected Facebook Page.
The skill requires sensitive Facebook application and Page credentials, while the supplied registry metadata declares no required environment variables or primary credential.
FB_APP_SECRET=... # App secret FB_PAGE_ACCESS_TOKEN=... # From fb_token_helper.py
Declare the credential requirements in metadata, use least-privilege tokens, store secrets outside chat/history, and rotate/revoke tokens if exposure is suspected.
An agent following the skill could publish or schedule public Page content with limited built-in safeguards.
The skill instructs direct API calls that publish to a Facebook Page, but the artifacts do not define confirmation gates, preview steps, target-page checks, or rollback controls before creating public content.
POST /v21.0/{page_id}/feed
message=...
access_token={page_token}Require explicit user approval before every publish or schedule action, show the exact page, message, media, and time, and provide clear deletion or rollback instructions.
If a user obtains or creates these helper scripts elsewhere, those scripts would handle powerful credentials and posting actions without being covered by this review.
SKILL.md references helper scripts for token exchange and publishing, but the provided file manifest contains only SKILL.md, so the referenced code was not available for review.
agents/fb_token_helper.py ← Get & exchange tokens (run this first!) agents/fb_publisher_agent.py ← Post text / images to Page
Only use helper scripts from a trusted, reviewed source, and review any code that handles Facebook tokens or publishes Page content before running it.
A long-lived token or background monitor could continue enabling Page access beyond a single posting task if not controlled.
The skill discusses long-lived Page access and recurring cron-based monitoring; this appears purpose-aligned but introduces persistent account access considerations.
Page Access Token (never expires*) ... Monitor token validity daily with a cron job
Avoid unnecessary background jobs, document any scheduled monitoring, and periodically revoke or rotate Page tokens that are no longer needed.