ClawHub

Instagram Page

v1.0.1

Instagram Business manager: post photos, reels, stories & get insights. Requires: powershell/pwsh. Reads ~/.config/instagram-page/credentials.json (IG_ACCESS...

2· 456·0 current·0 all-time
byseph@seph1709
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the actions described in SKILL.md. Requiring PowerShell/pwsh is consistent with the included PowerShell Invoke-RestMethod examples. The declared credential file (~/.config/instagram-page/credentials.json) and fields (IG_ACCESS_TOKEN, IG_USER_ID, optional IG_APP_ID/IG_APP_SECRET for token exchange) are appropriate for Instagram Graph API usage.
Instruction Scope
Instructions focus on constructing Graph API calls and include explicit PowerShell commands to read ~/.config/instagram-page/credentials.json, exchange/refresh tokens, and call graph.facebook.com. Reading the credentials file is necessary for operation but is sensitive — the doc explicitly instructs protecting the file and deleting IG_APP_SECRET after setup. The skill also instructs using Graph API Explorer for initial short tokens (expected). There are no instructions to read other unrelated files or to forward data to endpoints other than graph.facebook.com.
Install Mechanism
This is instruction-only (no install spec, no extracted downloads, no code files). That is the lowest-risk install mechanism and consistent with the skill's content.
Credentials
No environment variables are requested; the single credential file contains the access token and user id which are necessary for API calls. IG_APP_ID and IG_APP_SECRET are only required for the one-time token exchange and are marked optional. The sensitivity/privilege of the stored long-lived token is expected for the functionality.
Persistence & Privilege
always:false (normal). The skill permits autonomous invocation by default (disable-model-invocation:false), which is standard for skills, but combined with access to long-lived Instagram tokens means an agent could make API calls (including publishing posts) without additional manual confirmation — users should be aware of that operational risk and configure invocation policies accordingly.
Assessment
This skill appears coherent for managing an Instagram Business/Creator account via the Graph API, but it requires a long-lived access token stored in ~/.config/instagram-page/credentials.json — treat that file as highly sensitive. Before installing: (1) ensure you trust the skill owner; (2) keep IG_APP_SECRET only for the one-time exchange and delete it afterward as recommended; (3) restrict credentials.json permissions (chmod 600 or equivalent) and do not commit it to version control; (4) consider disabling autonomous invocation or requiring user confirmation if you do not want the agent to post content without approval; (5) rotate the token immediately if the host or agent is compromised and monitor activity/logs for unexpected API calls.

Like a lobster shell, security has layers — review code before you run it.

latestvk9781xcp594w27fz67smqmj1s1823zn9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

[ig] Clawdis
Any binpowershell, pwsh

Comments