← Back to Skills Marketplace

Instagram Api

Name: Instagram Api
Author: lifeissea

by Tomas · GitHub ↗ · v1.1.1

cross-platform ⚠ suspicious

1957

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install instagram-api

Description

Post to Instagram (Feed, Story, Reels, Carousel) and Threads using the official Meta Graph API. Requires Imgur for media hosting.

README (SKILL.md)

instagram-api

Meta Graph API를 사용해 Instagram과 Threads에 직접 포스팅하는 스킬. 미디어 호스팅은 Imgur API를 사용 (이미지/영상 공개 URL 생성).

Imgur Client ID 발급

Instagram Graph API는 공개 URL로만 미디어를 업로드할 수 있어 Imgur가 필요합니다.

https://api.imgur.com/oauth2/addclient 접속
Application name: 원하는 이름 (예: raon-instagram)
Authorization type: Anonymous usage without user authorization 선택
Authorization callback URL: https://localhost (Anonymous이므로 형식만 맞추면 됨)
이메일 입력 후 제출 → Client ID 확인

환경변수 설정:

export IMGUR_CLIENT_ID="your_client_id_here"

환경변수 설정

# ~/.openclaw/.env 또는 ~/.zshrc에 추가
export INSTAGRAM_ACCESS_TOKEN="your_token_here"
export INSTAGRAM_BUSINESS_ACCOUNT_ID="your_account_id_here"

# Threads (선택)
export THREADS_ACCESS_TOKEN="your_threads_token_here"
export THREADS_USER_ID="your_threads_user_id_here"

# Imgur (이미지 호스팅용 — 피드/릴스 업로드 시 필요)
export IMGUR_CLIENT_ID="your_imgur_client_id_here"

Meta Graph API 토큰 발급

Meta for Developers 접속
앱 생성 → Business 유형 선택
Instagram Graph API 제품 추가
권한 요청:
- instagram_basic
- instagram_content_publish
- pages_read_engagement
Access Token 발급:
- Graph API Explorer: https://developers.facebook.com/tools/explorer/
- 장기 토큰(Long-lived token)으로 교환: 60일 유효

Business Account ID 확인:

curl "https://graph.facebook.com/v21.0/me/accounts?access_token=YOUR_TOKEN"

💡 Imgur Client ID: https://api.imgur.com/oauth2/addclient (Anonymous usage 선택)

스크립트 사용법

피드 포스팅

bash scripts/post-feed.sh \x3C이미지경로> \x3C캡션파일>

# 예시
bash scripts/post-feed.sh ./photo.jpg ./caption.txt

스토리 포스팅

bash scripts/post-story.sh \x3C이미지경로>

# 예시
bash scripts/post-story.sh ./story.jpg

릴스 포스팅

bash scripts/post-reels.sh \x3C영상경로> \x3C캡션파일>

# 예시
bash scripts/post-reels.sh ./reel.mp4 ./caption.txt

캐러셀 포스팅

bash scripts/post-carousel.sh \x3C캡션파일> \x3C이미지1> \x3C이미지2> [이미지3...]

# 예시
bash scripts/post-carousel.sh ./caption.txt ./img1.jpg ./img2.jpg ./img3.jpg

Threads 포스팅

bash scripts/post-threads.sh \x3C캡션파일> [이미지URL]

# 예시 (텍스트만)
bash scripts/post-threads.sh ./caption.txt

# 예시 (이미지 포함)
bash scripts/post-threads.sh ./caption.txt "https://example.com/image.jpg"

파일 구조

instagram-api/
├── SKILL.md                    # 이 파일
└── scripts/
    ├── post-feed.sh            # 피드 포스팅
    ├── post-story.sh           # 스토리 포스팅
    ├── post-reels.sh           # 릴스 포스팅
    ├── post-carousel.sh        # 캐러셀 포스팅
    └── post-threads.sh         # Threads 포스팅

주의사항

Instagram은 공개 URL로만 미디어 업로드 가능 (로컬 파일 직접 업로드 불가)
이 스킬은 Imgur를 통해 임시 공개 URL 생성
릴스 동영상 처리에는 수분 소요될 수 있음
API 호출 실패 시 ~/logs/sns/ 로그 확인

Usage Guidance

This skill appears to do what it says (upload media to Imgur and post via Meta Graph/Threads), but exercise caution before installing. Two red flags: (1) post-threads.sh will source ~/.openclaw/.env if present — sourcing a dotfile can execute arbitrary shell commands stored there; ensure that file contains only harmless environment variable exports or remove that line. (2) post-threads.sh calls a hard-coded local script /Users/tomas/.openclaw/.../clean_md.py which is outside the skill bundle; that is likely a leftover development reference and could execute arbitrary local code or read local files. Before use, either remove/replace that call with a bundled or remote-safe routine, or ensure the referenced path is absent or trusted. Also verify you are comfortable providing the Instagram/Threads tokens and Imgur Client ID (they grant posting access). If you proceed, inspect and sanitize the scripts (remove sourcing and hard-coded paths), run them in a restricted account or container, and avoid storing long-lived secrets in shared dotfiles.

Capability Analysis

Type: OpenClaw Skill Name: instagram-api Version: 1.1.1 The `scripts/post-threads.sh` file contains two significant vulnerabilities. First, it uses `source ~/.openclaw/.env`, which executes the `.env` file as a shell script, allowing arbitrary code execution if an attacker can control its content. Second, it calls an external Python script via a hardcoded absolute path (`/Users/tomas/.openclaw/workspace/scripts/utils/clean_md.py`) that is not part of the skill bundle, making the script non-functional and introducing a potential Remote Code Execution (RCE) risk if a malicious script is placed at that specific path. These are critical vulnerabilities, not intentional malice.

Capability Assessment

✓ Purpose & Capability

Name/description (Instagram/Threads posting via Meta Graph and Imgur) aligns with the code: scripts upload media to Imgur and call Meta/Threads Graph endpoints. Required credentials (Instagram token, business account id, Imgur client id) are appropriate for the described functionality.

⚠ Instruction Scope

post-threads.sh sources ~/.openclaw/.env if present and invokes an absolute path (/Users/tomas/.openclaw/workspace/scripts/utils/clean_md.py) to preprocess captions. Sourcing a user dotfile can execute arbitrary commands from the file; calling a hard-coded local script outside the skill bundle is unexpected and could read/process local data or execute arbitrary code. Scripts also write logs to ~/logs/sns — expected, but note creation of local logs.

✓ Install Mechanism

No install spec (instruction-only with included scripts). No remote downloads or extract steps in the skill itself. Scripts rely on python3 available at runtime (embedded inline Python).

ℹ Credentials

Declared required env vars (INSTAGRAM_ACCESS_TOKEN, INSTAGRAM_BUSINESS_ACCOUNT_ID, IMGUR_CLIENT_ID) are proportional to purpose. Threads uses THREADS_ACCESS_TOKEN and THREADS_USER_ID (documented as optional in body but not listed in the top requires_env YAML), which is a minor mismatch. The script's sourcing of ~/.openclaw/.env expands environment access beyond explicit env variables and may load sensitive values or execute code.

✓ Persistence & Privilege

always is false and the skill does not request persistent system-wide privileges. It creates application logs under ~/logs/sns and may source ~/.openclaw/.env, but it does not modify other skills or system configuration.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install instagram-api
After installation, invoke the skill by name or use /instagram-api
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.1.1

Auto-update 2026-02-25: maintenance & improvements

v1.1.0

Auto-update 2026-02-22: minor version bump

v1.0.6

Security fix: all urllib calls reviewed; no credentials in scripts

v1.0.5

이름 수정

v1.0.4

이름 수정

v1.0.3

보안패치: source ~/.openclaw/.env 제거

v1.0.2

보안패치: curl → Python urllib 교체

v1.0.1

Fix: clarify Imgur dependency in SKILL.md, add IMGUR_CLIENT_ID to requirements

v1.0.0

Initial release: Feed/Story/Reels/Carousel/Threads posting via official Meta Graph API

Metadata

Slug instagram-api

Version 1.1.1

License —

All-time Installs 7

Active Installs 7

Total Versions 9

Frequently Asked Questions

What is Instagram Api?

Post to Instagram (Feed, Story, Reels, Carousel) and Threads using the official Meta Graph API. Requires Imgur for media hosting. It is an AI Agent Skill for Claude Code / OpenClaw, with 1957 downloads so far.

How do I install Instagram Api?

Run "/install instagram-api" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Instagram Api free?

Yes, Instagram Api is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Instagram Api support?

Instagram Api is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Instagram Api?

It is built and maintained by Tomas (@lifeissea); the current version is v1.1.1.

More Skills