Facebook Page Manager 1.0.0

v1.0.0

Manage Facebook Pages via Meta Graph API. Post content (text, photos, links), list posts, manage comments (list/reply/hide/delete). Use when user wants to pu...

⭐ 0· 347·1 current·1 all-time

byLougazi@loui1979·duplicate of @longmaba/facebook-page-manager

MIT-0

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

high confidence

!

Purpose & Capability

The skill advertises Facebook Page management and provides auth/CLI/posting scripts that match that purpose. However, two additional scripts (x_digest_collect.js and x_digest_to_fb.js) perform searches on X and automatically post digests to Facebook. Those X-related capabilities are not documented in SKILL.md (no commands or setup guidance), so the bundle contains extra functionality that a user wouldn't expect from the description.

!

Instruction Scope

SKILL.md documents only the Facebook auth flow and npm install, but it does not mention the X-digest scripts, their required environment variables (AUTH_TOKEN, CT0), or the dependency on an external 'bird' CLI. SKILL.md also states tokens are saved to ~/.config/fbpage/tokens.json, while auth.js actually writes tokens.json into the skill directory — a concrete mismatch. The instructions therefore omit actions and secrets that the included code requires.

!

Install Mechanism

There is no formal install spec (instruction-only), which is lower risk in general, and the Node dependencies (commander, dotenv) are standard. However the x_digest scripts call an external binary named 'bird' via execFileSync; SKILL.md does not declare that any external binary is required nor its provenance. Requiring an undocumented external binary that will be executed with elevated environment variables increases risk.

!

Credentials

env_example.md and SKILL.md only document META_APP_ID / META_APP_SECRET, but the code requires additional secrets: the x_digest scripts require AUTH_TOKEN and CT0 (X cookies). The skill does not declare these env requirements in its metadata. Also the SKILL.md claims tokens are saved to ~/.config/fbpage/tokens.json but auth.js writes tokens.json into the skill directory — inconsistent handling of credential storage. Requesting X cookies is disproportionate to the advertised purpose unless the user explicitly wants automated X→Facebook posting.

!

Persistence & Privilege

The skill is not always-enabled and is user-invocable (normal). But it writes tokens.json to disk (in the skill directory), downloads remote images to /tmp, and executes an external 'bird' binary while injecting sensitive X cookies into its environment. Executing an external program with sensitive environment variables and writing token files creates a higher blast radius if the invoked binary or the script is malicious or misconfigured.

What to consider before installing

This skill contains mostly-expected Facebook CLI code but also includes two undocumented X→Facebook digest scripts that require X cookies (AUTH_TOKEN, CT0) and an external 'bird' binary. Before installing or running it: 1) Ask the author why the X-digest scripts are bundled and request explicit documentation of required env vars and binaries. 2) Do NOT provide your X cookies (AUTH_TOKEN/CT0) unless you fully trust the author and have audited those scripts. 3) Verify the provenance of any external 'bird' binary before installing; avoid installing unknown executables. 4) Note the tokens file path mismatch (SKILL.md vs actual code); confirm where tokens will be stored and consider storing tokens in a location you control. 5) If you only need FB management, remove or ignore x_digest_*.js files or run the package in an isolated environment (VM/container) and inspect the code yourself. If you want help producing a minimal, audited version that only implements the FB CLI, I can outline the exact files/lines to remove or sanitize.

Like a lobster shell, security has layers — review code before you run it.

latestvk9764vgvswskbxz3ssgk44n17h82193j

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Facebook Page

Skill để quản lý Facebook Page qua Meta Graph API.

Chức năng

List các Page mà user quản lý
Đăng bài (text, ảnh, link)
List bài đăng của Page
List/reply/hide/delete comment

Setup (một lần)

1. Tạo Meta App

Vào https://developers.facebook.com/apps/ → Create App
Chọn "Other" → "Business" (hoặc Consumer tuỳ use-case)
Điền tên app, email
Vào App settings > Basic: lấy App ID và App Secret

2. Cấu hình OAuth

Vào Add Product → thêm Facebook Login
Trong Facebook Login > Settings:
- Valid OAuth Redirect URIs: để trống (dùng manual code flow)
Vào App Roles > Roles → thêm account làm Admin/Developer

3. Cấu hình .env

cd skills/facebook-page
cp .env.example .env
# Edit .env với App ID và Secret

4. Cài dependencies và lấy token

cd scripts
npm install
node auth.js login

Script sẽ:

In ra URL để user mở browser, đăng nhập, approve permissions
User copy URL sau khi approve (chứa code=...)
Paste URL vào terminal
Script exchange code → long-lived token → page tokens
Lưu tokens vào ~/.config/fbpage/tokens.json

Commands

List pages

node cli.js pages

Đăng bài text

node cli.js post create --page PAGE_ID --message "Hello world"

Đăng bài có ảnh

node cli.js post create --page PAGE_ID --message "Caption" --photo /path/to/image.jpg

Đăng bài có link

node cli.js post create --page PAGE_ID --message "Check this out" --link "https://example.com"

List posts

node cli.js post list --page PAGE_ID --limit 10

List comments của post

node cli.js comments list --post POST_ID

Reply comment

node cli.js comments reply --comment COMMENT_ID --message "Thanks!"

Hide comment

node cli.js comments hide --comment COMMENT_ID

Delete comment

node cli.js comments delete --comment COMMENT_ID