OpenClaw skill for Facebook Graph API workflows focused on Pages posting, comments, and Page management using direct HTTPS requests.
Security Analysis
medium confidenceThe skill's instructions correctly describe Facebook Page workflows, but the registry metadata does not declare the sensitive credentials (App ID/App Secret/Page tokens) the SKILL.md says are required — an incoherence that can lead to insecure handling of secrets.
The name, description, and all reference files consistently describe Facebook Graph API Page workflows (posting, comments, webhooks). There are no unrelated services, binaries, or capabilities requested that don't belong to a Facebook Pages skill.
SKILL.md and the references stay within the stated scope (HTTP templates, token exchange flow, webhook verification, comment moderation). They do request sensitive inputs (App ID, App Secret, Page IDs, and Page access tokens) but do not instruct the agent to access unrelated system files or external endpoints other than graph.facebook.com.
This is instruction-only with no install spec or code to download — lowest install risk. No archives, third-party packages, or remote installers are involved.
The SKILL.md explicitly requires App ID, App Secret, Page ID(s), and Page access tokens, but registry metadata lists no required environment variables and no primary credential. That mismatch is a red flag: sensitive secrets are needed for operation but are not declared in metadata or assigned a primaryEnv. Without declared secret handling, an agent or user may end up pasting secrets into chat or storing them insecurely. The actual set of requested secrets is proportionate to the purpose, but the omission from metadata is problematic.
always:false and no install actions. The skill does not request permanent platform presence or modify other skills. Autonomous invocation remains enabled (platform default) but is not excessive here given the skill's purpose.
Guidance
This skill appears to be what it says (Facebook Pages via Graph API) but there is a critical metadata mismatch: SKILL.md requires App ID, App Secret, Page IDs, and Page access tokens, yet the registry lists no required environment variables or primary credential. Before installing or using it: 1) Ask the publisher why secrets are not declared in metadata and request they add a primary credential (e.g., PAGE_ACCESS_TOKEN) and required env vars so the platform can handle secrets safely. 2) Do NOT paste App Secret or access tokens directly into chat; prefer a secret manager or environment variables handled by the agent platform. 3) Limit token scopes to least privilege, use a test Page for verification, and rotate tokens after testing. 4) Confirm the skill's source/author (homepage is missing) — if the publisher is unknown, review carefully or decline until metadata/source are clarified. 5) Require explicit instructions from the author about where/how secrets will be stored and whether the skill will ever transmit them off-platform.
Latest Release
v1.0.1
Version 1.0.1 - Expanded documentation with six new reference files covering Graph API overview, Page posting, comments moderation, permissions/tokens, webhooks, and HTTP request examples. - Updated guidance to focus on direct HTTPS requests for Facebook Pages: posting, comment management, and Page operations. - Clarified required inputs (App ID/Secret, Page ID, token strategy). - Added detailed security and operational guardrails. - Clearly defined recommended use cases and limitations.
More by @codedao12
Published by @codedao12 on ClawHub
