ClawHub

fb_page_manager

v2.0.0

Publish posts to a Facebook Page via the Meta Graph API. Use when the user says "post to Facebook", "FB post", "粉專發文", "社群貼文", "幫我發文", "schedule post", "排程發文...

2· 312·0 current·0 all-time
by@aaazzzr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binaries (node), required env vars (page token, page id, app secret), and the included script all align with the stated purpose of publishing to the Meta Graph API.
Instruction Scope
SKILL.md properly limits actions to drafting, previewing, and calling the provided script. It instructs the agent to always preview and obtain user confirmation before publishing, but the provided CLI script itself does not enforce interactive confirmation — the safety depends on the agent following the SKILL.md workflow.
Install Mechanism
No install spec is provided (instruction-only install) and the code files are included in the skill bundle. The only runtime requirement is Node; no external downloads, unusual installers, or third-party package pulls are present.
Credentials
Requested environment variables (LONG_META_page_TOKEN, META_PAGE_ID, META_APP_SECRET) are exactly those needed to post and compute appsecret_proof. Caveat: the token setup guide suggests storing the long-lived Page token in shell profile or in ~/.openclaw/openclaw.json — storing long-lived tokens in a shared skill/agent config increases exposure to other skills and processes, so users should consider storage and rotation policies.
Persistence & Privilege
Skill does not request always:true or other elevated platform privileges. It does not modify other skills or system-wide settings. Autonomous invocation is enabled by default (normal) but should be combined with the confirmation step described in SKILL.md.
Assessment
This skill appears to do exactly what it says: post to a Facebook Page using the Graph API. Before installing, ensure you: (1) limit the token’s scopes to only what’s required (pages_manage_posts, pages_read_engagement), (2) avoid putting long-lived page tokens in shared or world-readable config files if you care about limiting exposure — prefer ephemeral tokens or secure credential storage and rotate tokens regularly, (3) confirm your agent will present the preview and require explicit user confirmation before running the node script (the CLI itself won’t prompt), (4) be cautious when supplying local file paths to upload (the script will read the file you pass), and (5) verify your environment runs a supported Node version (fetch is used). If any of these are unacceptable, do not install or do not populate the long-lived token in a shared config.

Like a lobster shell, security has layers — review code before you run it.

latestvk973ws9pd98kr2gs3g8mfk1p6x82bz87

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📘 Clawdis
Binsnode
EnvLONG_META_page_TOKEN, META_PAGE_ID, META_APP_SECRET
Primary envLONG_META_page_TOKEN

Comments