← Back to Skills Marketplace
joelsalespossible

Facebook Humanistic Profile Control

by Joel Yi - DeployAIBots.com · GitHub ↗ · v1.0.6 · MIT-0
cross-platform ⚠ suspicious
134
Downloads
0
Stars
0
Active Installs
7
Versions
Install in OpenClaw
/install fb-profile-control
Description
CREDENTIALS REQUIRED: FB_COOKIE_FILE (Facebook session cookies JSON — treat as password), FB_STATE_FILE (Playwright state path, writable). Optional: FB_DRY_R...
README (SKILL.md)

FB Group Scanner Skill

Scan Facebook groups for targeted posts and auto-comment using undetected browser automation.

⚠️ Before You Start

  • Cookies = credentials. FB_COOKIE_FILE grants full Facebook account access. Store with chmod 600, never commit to git.
  • Use a dedicated/throwaway FB account — never your personal account.
  • Dry-run is ON by default (FB_DRY_RUN=true). The skill will scan and log matches but post zero comments until you explicitly set FB_DRY_RUN=false.
  • Run in a container or VM — not directly on your host machine.
  • May violate Facebook TOS. You are responsible for compliance.

Environment Variables

Variable Required Secret Description
FB_COOKIE_FILE Path to Facebook cookies JSON (Selenium format). Full account access — treat as password.
FB_STATE_FILE Writable path for Playwright storage state (default: /tmp/fb_state.json)
FB_DRY_RUN true (default) = scan only. false = live commenting.
FB_USER_AGENT Override browser user agent
NOTIFY_WEBHOOK Webhook URL for match alerts. Skipped if unset.

Install

pip install -r scripts/requirements.txt   # patchright from PyPI
python -m patchright install chromium      # Chromium from Playwright distribution

How to Get Cookies

  1. Log in to Facebook in real Chrome (manually, once, dedicated account)
  2. Export all facebook.com cookies as JSON via EditThisCookie or DevTools
  3. Save to the path in FB_COOKIE_FILE with chmod 600

Cookies last ~30–90 days. Re-export manually when expired — no automated re-login included.

Architecture

Patchright browser (stealth Chromium — patches navigator.webdriver + CDP detection)
  └─ Cookie auth (no login form)
       └─ Navigate group feed → intercept GraphQL responses passively
            └─ Filter posts: trigger phrase + topic keyword − exclusions
                 └─ FB_DRY_RUN=true → log match only
                    FB_DRY_RUN=false → human_type() comment + screenshot + webhook

1. Session (scripts/fb_session.py)

Reads FB_COOKIE_FILE and FB_STATE_FILE from environment. Returns (playwright, browser, context, page).

from fb_session import create_session
pw, browser, ctx, page = await create_session()
# Raises RuntimeError if cookies are stale

2. GraphQL Interception

Passively intercept FB's internal API responses — no synthetic clicks, no DOM scraping:

responses = []
async def capture(r):
    if "graphql" in r.url and r.status == 200:
        try: responses.append(await r.json())
        except: pass
page.on("response", capture)
await page.goto(group_url)
await asyncio.sleep(5)

See references/graphql-patterns.md for walking the response tree.

3. Human-Like Behavior (scripts/human_mouse.py)

  • human_scroll(page) — variable-speed wheel ticks with micro-pauses
  • human_click(page, x, y) — bezier curve mouse path + hover + hold
  • human_type(page, text) — variable WPM, occasional typos + backspace
  • idle_mouse_drift(page) — aimless drift while "reading"
  • reading_pause(min_s, max_s) — random pre-action sleep

Timing: 3–8s after page load, 50–120s between groups, never back-to-back.

4. User Controls

import os, re

DRY_RUN = os.environ.get("FB_DRY_RUN", "true").lower() == "true"

def redact_pii(text):
    """Strip emails and phone numbers before any external send."""
    text = re.sub(r'[\w.+-]+@[\w-]+\.[a-z]{2,}', '[EMAIL]', text)
    text = re.sub(r'\b\d{3}[-.\s]?\d{3}[-.\s]?\d{4}\b', '[PHONE]', text)
    return text

NOTIFY_WEBHOOK = os.environ.get("NOTIFY_WEBHOOK", "")
if not NOTIFY_WEBHOOK:
    # Skill skips all external notifications when unset
    pass

5. Post Filtering

See references/filter-logic.md — four-stage pipeline:

  1. Trigger phrase — hiring signal ("hiring", "looking for", "seeking", etc.)
  2. Topic keyword — target role ("csm", "client success manager", "retention", etc.)
  3. Job title exclusions — reject different roles in headline (first 200 chars)
  4. Seeking-work exclusions — reject service-offer posts

6. Scheduling

import schedule, time, asyncio
schedule.every().hour.at(":00").do(lambda: asyncio.run(scan_bucket("A")))
schedule.every().hour.at(":30").do(lambda: asyncio.run(scan_bucket("B")))
while True:
    schedule.run_pending()
    time.sleep(30)

8am–11pm only. Track seen posts in SQLite to prevent duplicate comments.

Files

File Purpose
scripts/fb_session.py Cookie session factory (env vars only, no hardcoded paths)
scripts/human_mouse.py Stealth mouse/scroll/type helpers (bezier curves, variable timing)
scripts/requirements.txt Python dependencies (patchright>=1.0.0)
references/graphql-patterns.md FB GraphQL response tree parsing guide
references/filter-logic.md Keyword filter architecture + tuning guide
Usage Guidance
This skill is coherent but high-risk by design because it requires Facebook session cookies (FB_COOKIE_FILE), which grant full account control. Only use with a dedicated/throwaway account, store the cookie file with restrictive permissions (chmod 600), and run inside an isolated VM or container. Keep FB_DRY_RUN=true until you have tested filtering thoroughly; do not set FB_DRY_RUN=false unless you explicitly want live posting. Review and control NOTIFY_WEBHOOK — any URL you provide will receive matched data. Audit the patchright package source before installing and avoid using your personal Facebook account to prevent account compromise or TOS violations. If you want to reduce risk, require manual invocation (do not allow autonomous agent use) and inspect logs and outgoing webhook activity before enabling live actions.
Capability Analysis
Type: OpenClaw Skill Name: fb-profile-control Version: 1.0.6 The skill is a Facebook automation tool that requires high-privilege session credentials (FB_COOKIE_FILE) to function. It utilizes 'patchright' (a stealth fork of Playwright) and includes sophisticated human-behavior simulation in 'scripts/human_mouse.py' to evade bot detection. While the code includes a dry-run safety mechanism and PII redaction logic, the handling of session cookies and the storage of browser state in a world-readable location ('/tmp/fb_state.json' in 'scripts/fb_session.py') present significant security risks and potential for account hijacking. No evidence of intentional exfiltration to a third party was found, but the inherent risks of the required credentials and stealth techniques warrant a suspicious classification.
Capability Assessment
Purpose & Capability
Name/description (FB group scanner + auto-comments) match the requested items: python3, FB_COOKIE_FILE (cookie export), FB_STATE_FILE, Patchright/Playwright for a stealth Chromium. The cookie-based auth and Playwright automation are expected for this purpose.
Instruction Scope
SKILL.md and code instruct the agent to read the cookie file, convert/write a Playwright state file, intercept GraphQL responses, apply filter logic, and optionally post comments and call a webhook. These are within the declared purpose, but the skill can log raw GraphQL responses and (if configured) send notifications to an external webhook — review and control the webhook destination and logs.
Install Mechanism
Install uses pip (patchright from PyPI) and patchright's chromium install (Playwright distribution). This is a typical, traceable mechanism for Python/Playwright tooling; no arbitrary URL downloads or archive extraction from unknown hosts are present.
Credentials
Required env vars are limited and appropriate: FB_COOKIE_FILE (secret, required) and FB_STATE_FILE (writable path). Optional webhook and user-agent overrides are reasonable. No unrelated credentials or excessive secrets are requested.
Persistence & Privilege
Skill is not always-enabled and does not request system-wide persistent privileges. It writes a Playwright state file and can operate autonomously (default platform behavior). Because the cookie file grants full account access, prefer manual invocation or keep FB_DRY_RUN=true until you intentionally enable live commenting.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install fb-profile-control
  3. After installation, invoke the skill by name or use /fb-profile-control
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.6
No functional code changes in this release. Metadata in SKILL.md improved for clarity: - Added structured environment variable definitions under `primaryEnv` in metadata. - Now explicitly documents which variables are required, their secrecy, and descriptions. - Improved installation and security instructions in documentation. - Skill usage notes clarified for safe and intended operation.
v1.0.5
No code or documentation changes detected in this release. - Version bump only; no changes to code or documentation. - Safe to update — functionality and interface remain identical to previous version.
v1.0.4
- No code or functionality changes in this release. - Internal metadata structure in SKILL.md has been updated: environment variable and install details are now structured as lists of objects. - User-facing documentation and instructions remain unchanged.
v1.0.3
**Added user safety and explicit controls for auto-commenting Facebook group scanner bots.** - Requires dry-run mode by default; live auto-commenting only enabled by explicit opt-in via environment variable. - Documents environment variables clearly, including required/optional settings for credentials, state storage, user agent, notification webhooks, and dry-run mode. - Adds strong user confirmation and notification PII-redaction logic before sending match data to external systems. - Expands install, session, and operational instructions for safer and more transparent deployment. - Updated security and legal warnings with actionable advice on sandboxing, secrets handling, and compliance responsibilities.
v1.0.2
- Added explicit security, legal, and sandboxing warnings for handling Facebook credentials and automation risks. - Expanded metadata: declares required and optional environment variables, installation instructions, and sensitivity level. - Clarified installation steps and recommends container/VM isolation for extra safety. - Emphasized manual cookie export with warnings not to automate or share exported cookies. - Added reminders to review and sanitize any user data or screenshots before sharing externally. - Improved documentation on compliance, account choice, notification safety, and logging practices.
v1.0.1
- Added scripts/requirements.txt file specifying Python dependencies. - Updated documentation to reflect new, explicit requirements installation step using requirements.txt. - No functional code changes; this version only adds dependency tracking for easier setup.
v1.0.0
Initial release: full documented recipe for building a Facebook group scanner and auto-commenter bot. - Provides stealth browsing via Patchright and cookie-based Facebook sessions (no login form). - Details GraphQL interception for efficient post detection (avoiding HTML scraping). - Includes human-like timing, scrolling, and typing behaviors to evade Facebook bot detection. - Implements robust keyword filtering logic, rate-limited auto-commenting, and duplicate prevention using SQLite. - Supports scheduled scans and Slack notifications for matched/commented posts. - Offers guidance on setup, pitfalls, and file organization for building and maintaining the skill.
Metadata
Slug fb-profile-control
Version 1.0.6
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 7
Frequently Asked Questions

What is Facebook Humanistic Profile Control?

CREDENTIALS REQUIRED: FB_COOKIE_FILE (Facebook session cookies JSON — treat as password), FB_STATE_FILE (Playwright state path, writable). Optional: FB_DRY_R... It is an AI Agent Skill for Claude Code / OpenClaw, with 134 downloads so far.

How do I install Facebook Humanistic Profile Control?

Run "/install fb-profile-control" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Facebook Humanistic Profile Control free?

Yes, Facebook Humanistic Profile Control is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Facebook Humanistic Profile Control support?

Facebook Humanistic Profile Control is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Facebook Humanistic Profile Control?

It is built and maintained by Joel Yi - DeployAIBots.com (@joelsalespossible); the current version is v1.0.6.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments