← Back to Skills Marketplace
kevinkom-byte

Facebook Graph API Skill (Secure)

by kevinkom-byte · GitHub ↗ · v1.0.2 · MIT-0
cross-platform ⚠ suspicious
170
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install facebook-secure
Description
OpenClaw skill for Facebook Graph API workflows focused on Pages posting, comments, and Page management using direct HTTPS requests.
README (SKILL.md)

Facebook Graph API Skill (Advanced)

Purpose

Provide a production-oriented guide for building Facebook Graph API workflows for Pages: publishing posts, managing comments, and operating Page content safely using direct HTTPS calls.

Best fit

  • You need Page posting and comment workflows.
  • You want a professional command design and safe operational guidance.
  • You prefer direct HTTP requests rather than SDKs.

Not a fit

  • You need advanced ads or marketing APIs.
  • You must use complex browser-based OAuth flows.

Quick orientation

  • Read references/graph-api-overview.md for base URLs, versions, and request patterns.
  • Read references/page-posting.md for Page publishing workflows and fields.
  • Read references/comments-moderation.md for comment actions and moderation flows.
  • Read references/permissions-and-tokens.md for access types and scope guidance.
  • Read references/webhooks.md for subscriptions and verification steps.
  • Read references/http-request-templates.md for concrete HTTP request payloads.

Required inputs

  • Facebook App ID and App Secret.
  • Target Page ID(s).
  • Token strategy: user token → Page access token.
  • Required permissions and review status.

Expected output

  • A clear Page workflow plan, permissions checklist, and operational guardrails.

Operational notes

  • Use least-privilege permissions.
  • Handle rate limits and retries.
  • Log minimal identifiers only.

Security notes

  • Never log tokens or app secrets.
  • Validate webhook signatures.

Credentials & Secret Management

This skill requires the following environment variables to be set:

  • FB_APP_ID – Your Facebook App ID.
  • FB_APP_SECRET – Your Facebook App Secret (highly sensitive).
  • FB_PAGE_ID – The target Facebook Page ID.
  • FB_ACCESS_TOKEN – A Page access token with sufficient permissions.

Best practices:

  • Store secrets in a secure vault or environment manager; do not hardcode.
  • Use different tokens for development and production.
  • Rotate tokens periodically and after any suspected compromise.
  • Restrict App Secret access to minimal personnel.

Incident Response

If a token or secret is suspected to be leaked:

  1. Immediately revoke the token in the Facebook Developer Dashboard.
  2. Generate a new Page access token.
  3. Rotate the App Secret if necessary.
  4. Review logs for unauthorized usage.

Authentication

All Graph API calls must include a valid access token either as a query parameter access_token or in the Authorization: Bearer \x3Ctoken> header. See references/http-request-templates.md for examples.

Additional References

  • references/security-and-secrets.md – Detailed security guidelines.
  • references/permissions-and-tokens.md now includes environment variable requirements.
  • references/http-request-templates.md includes authentication patterns.
Usage Guidance
The skill's content appears to legitimately describe Facebook Page operations and correctly requests the Page-related secrets it needs. However, there are packaging/metadata mismatches (ownerId, slug, version, and a contradiction about which env vars are required) that reduce confidence in provenance. Before installing: 1) Verify the skill's publisher/owner and origin (do not install if the source is unknown or mismatched). 2) Prefer providing only a Page-scoped access token with minimal scopes (pages_manage_posts/pages_manage_engagement) rather than long-lived app secrets where possible; use short-lived or ephemeral credentials and a secrets manager. 3) Test the skill in an isolated environment and monitor network traffic to confirm it only communicates with graph.facebook.com. 4) If you must supply FB_APP_SECRET, keep it in a vault and rotate it after initial testing. 5) If the metadata inconsistencies persist or the publisher cannot explain them, treat the package as untrusted and avoid installing it.
Capability Analysis
Type: OpenClaw Skill Name: facebook-secure Version: 1.0.2 The skill bundle provides a well-structured and security-conscious set of instructions and templates for interacting with the Facebook Graph API. It includes detailed documentation on authentication, permission management, and security best practices (e.g., avoiding token leakage in logs and validating webhook signatures). No malicious code, data exfiltration patterns, or harmful prompt injection attempts were identified across the files, including SKILL.md and the reference documents.
Capability Assessment
Purpose & Capability
The skill's name, description, and SKILL.md all describe Page posting, comment moderation, and webhook handling — and the requested credentials (FB_APP_ID, FB_APP_SECRET, FB_PAGE_ID, FB_ACCESS_TOKEN) are reasonable for that purpose. However, top-level registry metadata in the submission summary claims no required env vars while _meta.json and SKILL.md declare the sensitive env vars, and the _meta.json ownerId/slug/version differ from the registry metadata — this inconsistency weakens trust in the package provenance.
Instruction Scope
SKILL.md and the reference documents provide concrete HTTP request templates, webhook validation guidance, and token handling best practices. The instructions do not direct the agent to read unrelated system files or external endpoints beyond Facebook Graph API, nor do they instruct exfiltration of secrets. They explicitly warn not to log tokens and to validate signatures.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to execute. That minimizes installation risk — nothing is downloaded or written by an installer.
Credentials
The set of environment variables requested (App ID, App Secret, Page ID, Page access token) is appropriate and proportionate for the described functionality. The concern stems from metadata inconsistencies: the provided summary shows 'Required env vars: none', while both SKILL.md and _meta.json require sensitive env vars and declare FB_ACCESS_TOKEN as primaryEnv. Incoherent packaging increases the risk that the skill was repackaged or tampered with, which matters because the skill asks for high-sensitivity secrets.
Persistence & Privilege
The skill does not request always:true and is user-invocable; autonomous invocation is allowed (platform default). It does not request system-level persistence or modify other skills' configs.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install facebook-secure
  3. After installation, invoke the skill by name or use /facebook-secure
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
Security hardening: env-based credentials, security-and-secrets.md, auth patterns.
Metadata
Slug facebook-secure
Version 1.0.2
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Facebook Graph API Skill (Secure)?

OpenClaw skill for Facebook Graph API workflows focused on Pages posting, comments, and Page management using direct HTTPS requests. It is an AI Agent Skill for Claude Code / OpenClaw, with 170 downloads so far.

How do I install Facebook Graph API Skill (Secure)?

Run "/install facebook-secure" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Facebook Graph API Skill (Secure) free?

Yes, Facebook Graph API Skill (Secure) is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Facebook Graph API Skill (Secure) support?

Facebook Graph API Skill (Secure) is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Facebook Graph API Skill (Secure)?

It is built and maintained by kevinkom-byte (@kevinkom-byte); the current version is v1.0.2.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments