ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Instagram Api

Post to Instagram (Feed, Story, Reels, Carousel) and Threads using the official Meta Graph API. Requires Imgur for media hosting.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 1.3k · 6 current installs · 6 all-time installs
byTomas@lifeissea
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description (Instagram/Threads posting via Meta Graph and Imgur) aligns with the code: scripts upload media to Imgur and call Meta/Threads Graph endpoints. Required credentials (Instagram token, business account id, Imgur client id) are appropriate for the described functionality.
!
Instruction Scope
post-threads.sh sources ~/.openclaw/.env if present and invokes an absolute path (/Users/tomas/.openclaw/workspace/scripts/utils/clean_md.py) to preprocess captions. Sourcing a user dotfile can execute arbitrary commands from the file; calling a hard-coded local script outside the skill bundle is unexpected and could read/process local data or execute arbitrary code. Scripts also write logs to ~/logs/sns — expected, but note creation of local logs.
Install Mechanism
No install spec (instruction-only with included scripts). No remote downloads or extract steps in the skill itself. Scripts rely on python3 available at runtime (embedded inline Python).
Credentials
Declared required env vars (INSTAGRAM_ACCESS_TOKEN, INSTAGRAM_BUSINESS_ACCOUNT_ID, IMGUR_CLIENT_ID) are proportional to purpose. Threads uses THREADS_ACCESS_TOKEN and THREADS_USER_ID (documented as optional in body but not listed in the top requires_env YAML), which is a minor mismatch. The script's sourcing of ~/.openclaw/.env expands environment access beyond explicit env variables and may load sensitive values or execute code.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges. It creates application logs under ~/logs/sns and may source ~/.openclaw/.env, but it does not modify other skills or system configuration.
What to consider before installing
This skill appears to do what it says (upload media to Imgur and post via Meta Graph/Threads), but exercise caution before installing. Two red flags: (1) post-threads.sh will source ~/.openclaw/.env if present — sourcing a dotfile can execute arbitrary shell commands stored there; ensure that file contains only harmless environment variable exports or remove that line. (2) post-threads.sh calls a hard-coded local script /Users/tomas/.openclaw/.../clean_md.py which is outside the skill bundle; that is likely a leftover development reference and could execute arbitrary local code or read local files. Before use, either remove/replace that call with a bundled or remote-safe routine, or ensure the referenced path is absent or trusted. Also verify you are comfortable providing the Instagram/Threads tokens and Imgur Client ID (they grant posting access). If you proceed, inspect and sanitize the scripts (remove sourcing and hard-coded paths), run them in a restricted account or container, and avoid storing long-lived secrets in shared dotfiles.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.1.1
Download zip
latestvk97bfftfejtjnd9rq7yzpr0j6h81vca3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

instagram-api

Meta Graph API를 사용해 Instagram과 Threads에 직접 포스팅하는 스킬. 미디어 호스팅은 Imgur API를 사용 (이미지/영상 공개 URL 생성).

Imgur Client ID 발급

Instagram Graph API는 공개 URL로만 미디어를 업로드할 수 있어 Imgur가 필요합니다.

  1. https://api.imgur.com/oauth2/addclient 접속
  2. Application name: 원하는 이름 (예: raon-instagram)
  3. Authorization type: Anonymous usage without user authorization 선택
  4. Authorization callback URL: https://localhost (Anonymous이므로 형식만 맞추면 됨)
  5. 이메일 입력 후 제출 → Client ID 확인
  6. 환경변수 설정: 
    export IMGUR_CLIENT_ID="your_client_id_here"

환경변수 설정

# ~/.openclaw/.env 또는 ~/.zshrc에 추가
export INSTAGRAM_ACCESS_TOKEN="your_token_here"
export INSTAGRAM_BUSINESS_ACCOUNT_ID="your_account_id_here"

# Threads (선택)
export THREADS_ACCESS_TOKEN="your_threads_token_here"
export THREADS_USER_ID="your_threads_user_id_here"

# Imgur (이미지 호스팅용 — 피드/릴스 업로드 시 필요)
export IMGUR_CLIENT_ID="your_imgur_client_id_here"

Meta Graph API 토큰 발급

  1. Meta for Developers 접속
  2. 앱 생성 → Business 유형 선택
  3. Instagram Graph API 제품 추가
  4. 권한 요청:
    • instagram_basic
    • instagram_content_publish
    • pages_read_engagement
  5. Access Token 발급:
  6. Business Account ID 확인: 
    curl "https://graph.facebook.com/v21.0/me/accounts?access_token=YOUR_TOKEN"

💡 Imgur Client ID: https://api.imgur.com/oauth2/addclient (Anonymous usage 선택)

스크립트 사용법

피드 포스팅

bash scripts/post-feed.sh <이미지경로> <캡션파일>

# 예시
bash scripts/post-feed.sh ./photo.jpg ./caption.txt

스토리 포스팅

bash scripts/post-story.sh <이미지경로>

# 예시
bash scripts/post-story.sh ./story.jpg

릴스 포스팅

bash scripts/post-reels.sh <영상경로> <캡션파일>

# 예시
bash scripts/post-reels.sh ./reel.mp4 ./caption.txt

캐러셀 포스팅

bash scripts/post-carousel.sh <캡션파일> <이미지1> <이미지2> [이미지3...]

# 예시
bash scripts/post-carousel.sh ./caption.txt ./img1.jpg ./img2.jpg ./img3.jpg

Threads 포스팅

bash scripts/post-threads.sh <캡션파일> [이미지URL]

# 예시 (텍스트만)
bash scripts/post-threads.sh ./caption.txt

# 예시 (이미지 포함)
bash scripts/post-threads.sh ./caption.txt "https://example.com/image.jpg"

파일 구조

instagram-api/
├── SKILL.md                    # 이 파일
└── scripts/
    ├── post-feed.sh            # 피드 포스팅
    ├── post-story.sh           # 스토리 포스팅
    ├── post-reels.sh           # 릴스 포스팅
    ├── post-carousel.sh        # 캐러셀 포스팅
    └── post-threads.sh         # Threads 포스팅

주의사항

  • Instagram은 공개 URL로만 미디어 업로드 가능 (로컬 파일 직접 업로드 불가)
  • 이 스킬은 Imgur를 통해 임시 공개 URL 생성
  • 릴스 동영상 처리에는 수분 소요될 수 있음
  • API 호출 실패 시 ~/logs/sns/ 로그 확인

Files

6 total
Select a file
Select a file to preview.

Comments

Loading comments…