ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Meta Business Suite

v1.0.4

Meta Business Suite automation via Graph API. Use this skill when: (1) Publishing posts to Facebook Pages (2) Scheduling Facebook posts (3) Publishing to Ins...

5· 835·1 current·1 all-time
by@nachx639
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, required binaries (curl, python3), and required env vars (META_PAGE_ACCESS_TOKEN, META_PAGE_ID) align with Graph API tasks like posting, scheduling, and reading insights. Using python3 for small JSON parsing is reasonable. Nothing requested is wildly out-of-scope for a Meta Business Suite helper.
!
Instruction Scope
SKILL.md includes explicit runtime commands that will read ~/.meta_tokens_cache.json (Python one-liners) as an alternative credential source and also extracts IG_ID from that file. The skill metadata did not declare this config path or IG_ID as required, so the instructions cause the agent to read a sensitive local file not represented in the requirements. Instructions also include DELETE/post-management operations which require high privileges in the provided token — the doc shows those commands but does not emphasize least-privilege or audit guidance.
Install Mechanism
Instruction-only skill with no install steps and no downloaded code; lowest-risk install mechanism. It relies on existing curl and python3 binaries as declared.
!
Credentials
Declared env vars (META_PAGE_ACCESS_TOKEN and META_PAGE_ID) are appropriate. However, the instructions also rely on a local token cache file (~/.meta_tokens_cache.json) and implicitly on IG_ID (not declared). That introduces undeclared sensitive input access. The skill requests access to a page access token that permits create/delete/comment operations — users should ensure the token scope is limited to what they expect.
Persistence & Privilege
always is false and there is no install-time persistence or modification of other skills; the skill does not request permanent platform-level privileges. Autonomous invocation is allowed (platform default) but not combined with other high-risk flags.
What to consider before installing
This skill appears to be a straightforward Graph API cookbook, but review these points before installing: - Sensitive file access: SKILL.md contains Python one-liners that read ~/.meta_tokens_cache.json to extract tokens and IG IDs. That file is sensitive and the skill metadata does not declare it. If you do not maintain such a file, the commands may fail; if you do, be aware the skill explicitly reads it. Consider removing or relocating that file or avoid using the 'Option B' cache approach. - Environment variables: The skill declares META_PAGE_ACCESS_TOKEN and META_PAGE_ID (appropriate). It references IG_ID in examples but does not declare it; either set IG_ID yourself or confirm how it will be derived. Prefer setting tokens via environment variables rather than caches. - Token scope: The token can create, edit, and delete posts and manage comments. Use a token with the minimum permissions required, and rotate/revoke tokens you pass to any third-party skills. - Operational safety: Commands include destructive actions (DELETE for posts). Confirm the agent only performs actions you explicitly request; do not give long-lived or highly privileged tokens to untrusted agents. - If you want stronger assurance: ask the skill author to (1) declare the ~/.meta_tokens_cache.json path in metadata if it's intended, (2) document IG_ID as an explicit env var option, and (3) provide explicit guidance about required token scopes and safety checks before destructive operations. Given the mismatch between documented requirements and the instructions' optional file access, proceed only after addressing the above or using isolated/limited credentials.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📱 Clawdis
Binscurl, python3
EnvMETA_PAGE_ACCESS_TOKEN, META_PAGE_ID
Primary envMETA_PAGE_ACCESS_TOKEN
analyticsvk97d80easpgstr44wpa4ftfbe181ns4pfacebookvk97d80easpgstr44wpa4ftfbe181ns4pgraph-apivk97d80easpgstr44wpa4ftfbe181ns4pinstagramvk97d80easpgstr44wpa4ftfbe181ns4platestvk97d80easpgstr44wpa4ftfbe181ns4pmetavk97d80easpgstr44wpa4ftfbe181ns4ppublishingvk97d80easpgstr44wpa4ftfbe181ns4pschedulingvk97d80easpgstr44wpa4ftfbe181ns4psocial-mediavk97d80easpgstr44wpa4ftfbe181ns4p
835downloads
5stars
5versions
Updated 7h ago
v1.0.4
MIT-0
@nachx639
analyticsfacebookgraph-apiinstagramlatestmetapublishingschedulingsocial-media
Download

Meta Business Suite — Facebook & Instagram API

Configuration

CRITICAL: Never hardcode tokens or IDs in commands. Always use variables.

Option A: Environment variables (recommended)

Set these environment variables before using the skill:

export META_PAGE_ACCESS_TOKEN="your-page-access-token"
export META_PAGE_ID="your-page-id"

Then use them directly:

PAGE_TOKEN="$META_PAGE_ACCESS_TOKEN"
PAGE_ID="$META_PAGE_ID"

The same Page Access Token works for both Facebook and Instagram (the IG Business account is linked to the Page).

Option B: Token cache file (alternative)

If environment variables are not set, credentials can be read from ~/.meta_tokens_cache.json (chmod 600):

PAGE_TOKEN=$(python3 -c "
import json, os
d = json.load(open(os.path.expanduser('~/.meta_tokens_cache.json')))
page_id = list(d['pages'].keys())[0]
print(d['pages'][page_id]['access_token'])
")

PAGE_ID=$(python3 -c "
import json, os
d = json.load(open(os.path.expanduser('~/.meta_tokens_cache.json')))
print(list(d['pages'].keys())[0])
")

IG_ID=$(python3 -c "
import json, os
d = json.load(open(os.path.expanduser('~/.meta_tokens_cache.json')))
print(list(d['instagram'].keys())[0])
")

API Version

Always use v25.0 in all API calls.

Facebook Page — Publish

Text post

curl -X POST "https://graph.facebook.com/v25.0/$PAGE_ID/feed" \
  -d "message=Tu mensaje aquí" \
  -d "access_token=$PAGE_TOKEN"

Post with image (URL)

curl -X POST "https://graph.facebook.com/v25.0/$PAGE_ID/photos" \
  -d "url=https://example.com/image.jpg" \
  -d "message=Texto del post" \
  -d "access_token=$PAGE_TOKEN"

Post with image (local file)

curl -X POST "https://graph.facebook.com/v25.0/$PAGE_ID/photos" \
  -F "source=@/path/to/image.jpg" \
  -F "message=Texto del post" \
  -F "access_token=$PAGE_TOKEN"

Post with video

curl -X POST "https://graph.facebook.com/v25.0/$PAGE_ID/videos" \
  -F "source=@/path/to/video.mp4" \
  -F "description=Descripción del vídeo" \
  -F "title=Título del vídeo" \
  -F "access_token=$PAGE_TOKEN"

Post with link

curl -X POST "https://graph.facebook.com/v25.0/$PAGE_ID/feed" \
  -d "message=Mira este artículo" \
  -d "link=https://example.com/article" \
  -d "access_token=$PAGE_TOKEN"

Facebook Page — Schedule

Schedule a post

# Get Unix timestamp: python3 -c "from datetime import datetime; print(int(datetime(2026,3,1,9,0).timestamp()))"

curl -X POST "https://graph.facebook.com/v25.0/$PAGE_ID/feed" \
  -d "message=Post programado" \
  -d "published=false" \
  -d "scheduled_publish_time=UNIX_TIMESTAMP" \
  -d "access_token=$PAGE_TOKEN"

Note: Must be between 10 minutes and 75 days from now.

List scheduled posts

curl -s "https://graph.facebook.com/v25.0/$PAGE_ID/scheduled_posts?access_token=$PAGE_TOKEN"

Facebook Page — Read & Manage

Page info

curl -s "https://graph.facebook.com/v25.0/$PAGE_ID?fields=name,fan_count,followers_count,about&access_token=$PAGE_TOKEN"

Recent posts

curl -s "https://graph.facebook.com/v25.0/$PAGE_ID/feed?fields=message,created_time,id,shares,likes.summary(true),comments.summary(true)&limit=10&access_token=$PAGE_TOKEN"

Page insights

curl -s "https://graph.facebook.com/v25.0/$PAGE_ID/insights?metric=page_views_total,page_fan_adds,page_engaged_users&period=day&access_token=$PAGE_TOKEN"

Delete a post

curl -X DELETE "https://graph.facebook.com/v25.0/POST_ID?access_token=$PAGE_TOKEN"

Comment on a post

curl -X POST "https://graph.facebook.com/v25.0/POST_ID/comments" \
  -d "message=Tu comentario" \
  -d "access_token=$PAGE_TOKEN"

Instagram — Publish

Instagram uses a 2-step process: create media container → publish.

Photo post

# Step 1: Create container
CONTAINER_ID=$(curl -s -X POST "https://graph.facebook.com/v25.0/$IG_ID/media" \
  -d "image_url=https://example.com/image.jpg" \
  -d "caption=Tu caption con #hashtags" \
  -d "access_token=$PAGE_TOKEN" | python3 -c "import sys,json; print(json.load(sys.stdin)['id'])")

# Step 2: Publish
curl -X POST "https://graph.facebook.com/v25.0/$IG_ID/media_publish" \
  -d "creation_id=$CONTAINER_ID" \
  -d "access_token=$PAGE_TOKEN"

Reel (video)

# Step 1: Create container
CONTAINER_ID=$(curl -s -X POST "https://graph.facebook.com/v25.0/$IG_ID/media" \
  -d "media_type=REELS" \
  -d "video_url=https://example.com/video.mp4" \
  -d "caption=Caption del reel #reels" \
  -d "access_token=$PAGE_TOKEN" | python3 -c "import sys,json; print(json.load(sys.stdin)['id'])")

# Step 2: Wait for processing
curl -s "https://graph.facebook.com/v25.0/$CONTAINER_ID?fields=status_code&access_token=$PAGE_TOKEN"
# Poll until status_code = "FINISHED"

# Step 3: Publish
curl -X POST "https://graph.facebook.com/v25.0/$IG_ID/media_publish" \
  -d "creation_id=$CONTAINER_ID" \
  -d "access_token=$PAGE_TOKEN"

Carousel (multiple images)

# Step 1: Create each item
IMG1=$(curl -s -X POST "https://graph.facebook.com/v25.0/$IG_ID/media" \
  -d "image_url=https://example.com/img1.jpg" \
  -d "is_carousel_item=true" \
  -d "access_token=$PAGE_TOKEN" | python3 -c "import sys,json; print(json.load(sys.stdin)['id'])")

IMG2=$(curl -s -X POST "https://graph.facebook.com/v25.0/$IG_ID/media" \
  -d "image_url=https://example.com/img2.jpg" \
  -d "is_carousel_item=true" \
  -d "access_token=$PAGE_TOKEN" | python3 -c "import sys,json; print(json.load(sys.stdin)['id'])")

# Step 2: Create carousel container
CAROUSEL=$(curl -s -X POST "https://graph.facebook.com/v25.0/$IG_ID/media" \
  -d "media_type=CAROUSEL" \
  -d "children=$IMG1,$IMG2" \
  -d "caption=Mi carrusel #carousel" \
  -d "access_token=$PAGE_TOKEN" | python3 -c "import sys,json; print(json.load(sys.stdin)['id'])")

# Step 3: Publish
curl -X POST "https://graph.facebook.com/v25.0/$IG_ID/media_publish" \
  -d "creation_id=$CAROUSEL" \
  -d "access_token=$PAGE_TOKEN"

Instagram — Read & Manage

Account info

curl -s "https://graph.facebook.com/v25.0/$IG_ID?fields=username,followers_count,follows_count,media_count&access_token=$PAGE_TOKEN"

Recent media

curl -s "https://graph.facebook.com/v25.0/$IG_ID/media?fields=id,caption,media_type,timestamp,like_count,comments_count,permalink&limit=10&access_token=$PAGE_TOKEN"

Post insights

curl -s "https://graph.facebook.com/v25.0/MEDIA_ID/insights?metric=impressions,reach,engagement&access_token=$PAGE_TOKEN"

Delete a post

curl -X DELETE "https://graph.facebook.com/v25.0/MEDIA_ID?access_token=$PAGE_TOKEN"

Reply to a comment

curl -X POST "https://graph.facebook.com/v25.0/COMMENT_ID/replies" \
  -d "message=Tu respuesta" \
  -d "access_token=$PAGE_TOKEN"

Token Management

Page Token

  • Stored in ~/.meta_tokens_cache.json under pages.<PAGE_ID>.access_token
  • Never expires (expires_at: 0)
  • Data access expires ~60 days — renew before

Renew tokens

  1. Go to Graph API Explorer
  2. Select app → Add permissions → Generate Access Token
  3. Exchange for long-lived token via Graph API Explorer or the App Dashboard
  4. Get new page token:
curl -s "https://graph.facebook.com/v25.0/me/accounts?access_token=LONG_LIVED_TOKEN"
  1. Update ~/.meta_tokens_cache.json with new tokens

Tips

  • Never hardcode tokens or IDs — always use environment variables or read from ~/.meta_tokens_cache.json
  • Instagram requires images/videos as public URLs (not local files)
  • For local files on Instagram, upload to hosting first or use Facebook's photo upload
  • Reels may take time to process — poll status before publishing
  • Schedule Facebook posts at least 10 minutes in advance
  • Instagram does NOT support native scheduling via API
  • File permissions on cache: chmod 600 ~/.meta_tokens_cache.json

Comments

Loading comments...