A transparent proxy for the Facebook Graph API. Replace the domain, pass your Yuri API token, and call any Facebook endpoint — no Facebook access token needed on the client side.
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a disclosed Facebook API proxy, but it routes broad Facebook account authority and data through a third-party gateway that supports all endpoints, including write and delete actions.
Use this only if you trust baiz.ai to handle Facebook account authority and request data. Start with a test or least-privilege account, avoid production Facebook assets, require human confirmation for any write/delete/publish/ad-management action, and verify token scopes, logging, retention, and revocation before installing or using it.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The provider and anyone with the Yuri token may be able to act on linked Facebook resources, potentially affecting pages, ads, business assets, or account data.
The guide requires delegating Facebook authorization to a third-party service or using a pre-authorized Facebook account supplied by that service.
Choose one: ... "Request access" | Contact the Yuri team to get a pre-authorized Facebook account ... "Authorize your own" | Link your Facebook account through the Yuri dashboard
Use only test or least-privilege Facebook assets until the provider is verified; confirm OAuth scopes, revocation, audit logs, and who can access any pre-authorized accounts.
An agent using this skill could make high-impact Facebook API calls, including edits, deletes, uploads, or public/business changes, if given a valid token.
The skill exposes the full raw Facebook Graph API through the proxy, including mutating and deleting operations, with no documented guardrails or approval workflow.
HTTP methods | GET, POST, PUT, DELETE, etc. ... Endpoints | All Facebook Graph API endpoints and versions ... File uploads | multipart/form-data
Require explicit user confirmation for POST, PUT, DELETE, uploads, publishing, ad changes, or account-management actions, and prefer narrowly scoped tokens and endpoint allowlists.
Facebook request data and account-related operations may be visible to or processed by the gateway provider, including potentially sensitive business or user data.
All Facebook API paths, parameters, bodies, uploads, and token resolution are routed through the external baiz.ai gateway, but the artifacts do not describe retention, logging, isolation, or data-use limits.
Replace graph.facebook.com with facebook-graph.baiz.ai ... Everything else — paths, query parameters, request bodies, HTTP methods — stays identical ... Facebook access tokens are securely stored and managed on the server.
Review the provider’s privacy, retention, logging, and security documentation before use; avoid sensitive uploads or production data until those controls are verified.
The static scan being clean only means there was no local code to analyze; it does not verify how the external proxy stores tokens or handles Facebook requests.
There is no local code to inspect, and the real security properties depend on an external gateway whose implementation is not included in the artifact set.
Source: unknown ... No code files present — this is an instruction-only skill.
Treat the provider as part of the trusted computing base and verify its documentation, ownership, audit status, and support for token revocation before relying on it.