ai agent
v1.0.0Automate Facebook Page posting and token management using Graph API with retry-safe, rate-limit-aware workflows for text and image content.
⭐ 0· 83·0 current·0 all-time
byPhan Văn Năng@yunneetoichoi
MIT-0
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md describes a Facebook Page posting and token-management tool (requires FB_APP_ID, FB_APP_SECRET, FB_PAGE_ID, FB_PAGE_ACCESS_TOKEN) which is coherent with the stated purpose. However, the registry metadata declares no required environment variables or primary credential, creating a mismatch: the skill asks for sensitive credentials in its instructions but the published metadata does not reflect that.
Instruction Scope
SKILL.md instructs running and referencing files (agents/fb_token_helper.py, agents/fb_publisher_agent.py, config.py, test_fb_connection.py) and reading env vars/.env, yet no code files are included in the package. That leaves the runtime behavior underspecified and requires the user to run or obtain scripts not provided here, which is a notable inconsistency and operational risk.
Install Mechanism
Instruction-only skill with no install spec and no binaries to download — low install-time risk. Nothing in the package will be written to disk by an installer because there is no installer.
Credentials
The SKILL.md legitimately requires sensitive values (FB_APP_SECRET and FB_PAGE_ACCESS_TOKEN) for the claimed functionality, which is proportionate to posting on Pages. However, these credentials are not declared in the skill metadata (primaryEnv missing) and there is no secure secret storage mechanism described beyond a .env file recommendation. The absence of declared env vars in registry metadata reduces transparency and increases risk of accidental credential misuse.
Persistence & Privilege
The skill is not force-included (always: false) and uses default autonomous invocation settings; it does not request persistent system-level privileges or modify other skills' configs. No additional persistence or elevated privileges are declared.
Scan Findings in Context
[regex_scanner_none] expected: The static scanner found no matches because there are no code files — SKILL.md is instruction-only. Absence of findings is expected in this context but does not imply the instructions are safe or complete.
What to consider before installing
This skill's purpose (Facebook Page posting and token management) is reasonable, but there are two red flags: (1) the runtime instructions require sensitive credentials (FB_APP_ID, FB_APP_SECRET, FB_PAGE_ID, FB_PAGE_ACCESS_TOKEN) yet the published metadata does not declare them; and (2) the README instructs you to run scripts (fb_token_helper.py, fb_publisher_agent.py, config.py) that are not included. Before installing or running anything: do not paste secrets into a tool you can't inspect; ask the publisher for the missing code or a verified package; insist the skill metadata list required env vars and primary credential; review any provided scripts for secret handling and network behavior; store tokens in a secure secret manager (not plain .env in shared repos); use least-privilege page tokens and rotate them after testing; and verify webhook signature validation and retry/backoff behavior in the actual code. If the publisher cannot supply the referenced code or explain why metadata omits env vars, avoid providing credentials.Like a lobster shell, security has layers — review code before you run it.
latest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Facebook Graph API Skill (Advanced)
Purpose
Production-oriented guide for building Facebook Graph API workflows for Pages: publishing posts (text + image), managing tokens, and operating Page content safely using direct HTTPS calls.
Best fit
- Page posting automation with images (DALL-E generated or external URL)
- Token management (short-lived → long-lived → page token)
- Retry-safe, rate-limit-aware production pipelines
Not a fit
- Personal profile posting (not supported by Graph API for third-party apps)
- Ads / Marketing API workflows
- Browser-based OAuth flows
Quick orientation
agents/fb_token_helper.py ← Get & exchange tokens (run this first!)
agents/fb_publisher_agent.py ← Post text / images to Page
config.py ← All env vars
test_fb_connection.py ← Verify token is working
Token Flow
Short-lived User Token (1-2h)
↓ GET /oauth/access_token?grant_type=fb_exchange_token
Long-lived User Token (60 days)
↓ GET /me/accounts
Page Access Token (never expires*)
*Until user changes password or revokes app.
Required Environment Variables
FB_APP_ID=... # From Meta for Developers
FB_APP_SECRET=... # App secret
FB_PAGE_ID=... # Target Fanpage ID
FB_PAGE_ACCESS_TOKEN=... # From fb_token_helper.py
Key API Endpoints
Post text
POST /v21.0/{page_id}/feed
message=...
access_token={page_token}
Upload photo (unpublished)
POST /v21.0/{page_id}/photos
url={image_url}
published=false
access_token={page_token}
→ Returns: { "id": "PHOTO_ID" }
Post with photo
POST /v21.0/{page_id}/feed
message=...
attached_media[0]={"media_fbid":"PHOTO_ID"}
access_token={page_token}
Scheduled post
POST /v21.0/{page_id}/feed
message=...
scheduled_publish_time={unix_timestamp}
published=false
access_token={page_token}
Required Permissions
| Permission | Purpose |
|---|---|
pages_manage_posts | Create/edit posts |
pages_read_engagement | Read reactions, comments |
pages_show_list | List managed pages |
public_profile | Basic user identity |
Rate Limits
- 200 calls/hour/user token
- Implement retry with exponential backoff (see fb_publisher_agent.py)
- POST 4-5 times/day max per Page for safety
Security
- Never log tokens or app secrets
- Store all secrets in .env (ignored by git)
- Validate webhook signatures if using webhooks
- Monitor token validity daily with a cron job
Files
1 totalSelect a file
Select a file to preview.
Comments
Loading comments…