← Back to Skills Marketplace
490
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install facebook-page-manager-1-0-0
Description
Manage Facebook Pages via Meta Graph API. Post content (text, photos, links), list posts, manage comments (list/reply/hide/delete). Use when user wants to pu...
README (SKILL.md)
Facebook Page
Skill để quản lý Facebook Page qua Meta Graph API.
Chức năng
- List các Page mà user quản lý
- Đăng bài (text, ảnh, link)
- List bài đăng của Page
- List/reply/hide/delete comment
Setup (một lần)
1. Tạo Meta App
- Vào https://developers.facebook.com/apps/ → Create App
- Chọn "Other" → "Business" (hoặc Consumer tuỳ use-case)
- Điền tên app, email
- Vào App settings > Basic: lấy App ID và App Secret
2. Cấu hình OAuth
- Vào Add Product → thêm Facebook Login
- Trong Facebook Login > Settings:
- Valid OAuth Redirect URIs: để trống (dùng manual code flow)
- Vào App Roles > Roles → thêm account làm Admin/Developer
3. Cấu hình .env
cd skills/facebook-page
cp .env.example .env
# Edit .env với App ID và Secret
4. Cài dependencies và lấy token
cd scripts
npm install
node auth.js login
Script sẽ:
- In ra URL để user mở browser, đăng nhập, approve permissions
- User copy URL sau khi approve (chứa
code=...) - Paste URL vào terminal
- Script exchange code → long-lived token → page tokens
- Lưu tokens vào
~/.config/fbpage/tokens.json
Commands
List pages
node cli.js pages
Đăng bài text
node cli.js post create --page PAGE_ID --message "Hello world"
Đăng bài có ảnh
node cli.js post create --page PAGE_ID --message "Caption" --photo /path/to/image.jpg
Đăng bài có link
node cli.js post create --page PAGE_ID --message "Check this out" --link "https://example.com"
List posts
node cli.js post list --page PAGE_ID --limit 10
List comments của post
node cli.js comments list --post POST_ID
Reply comment
node cli.js comments reply --comment COMMENT_ID --message "Thanks!"
Hide comment
node cli.js comments hide --comment COMMENT_ID
Delete comment
node cli.js comments delete --comment COMMENT_ID
Permissions cần thiết
pages_show_list- list pagespages_read_engagement- đọc posts/commentspages_manage_posts- đăng/sửa/xoá bàipages_manage_engagement- quản lý comments
Lưu ý
- Token Page không hết hạn (nếu lấy từ long-lived user token)
- Không log/print token ra output
- App ở Testing mode chỉ hoạt động với accounts trong Roles
Usage Guidance
This skill contains mostly-expected Facebook CLI code but also includes two undocumented X→Facebook digest scripts that require X cookies (AUTH_TOKEN, CT0) and an external 'bird' binary. Before installing or running it: 1) Ask the author why the X-digest scripts are bundled and request explicit documentation of required env vars and binaries. 2) Do NOT provide your X cookies (AUTH_TOKEN/CT0) unless you fully trust the author and have audited those scripts. 3) Verify the provenance of any external 'bird' binary before installing; avoid installing unknown executables. 4) Note the tokens file path mismatch (SKILL.md vs actual code); confirm where tokens will be stored and consider storing tokens in a location you control. 5) If you only need FB management, remove or ignore x_digest_*.js files or run the package in an isolated environment (VM/container) and inspect the code yourself. If you want help producing a minimal, audited version that only implements the FB CLI, I can outline the exact files/lines to remove or sanitize.
Capability Analysis
Type: OpenClaw Skill
Name: facebook-page-manager-1-0-0
Version: 1.0.0
The skill is classified as suspicious due to a critical arbitrary command execution vulnerability. The scripts `scripts/x_digest_collect.js` and `scripts/x_digest_to_fb.js` use `child_process.execFileSync("bird", ...)` to execute an external, unmanaged binary named 'bird'. This binary is not declared as a dependency, and sensitive environment variables (AUTH_TOKEN, CT0 for X/Twitter) are passed to it, creating a significant RCE risk and potential for credential theft if the 'bird' binary is compromised or manipulated.
Capability Assessment
Purpose & Capability
The skill advertises Facebook Page management and provides auth/CLI/posting scripts that match that purpose. However, two additional scripts (x_digest_collect.js and x_digest_to_fb.js) perform searches on X and automatically post digests to Facebook. Those X-related capabilities are not documented in SKILL.md (no commands or setup guidance), so the bundle contains extra functionality that a user wouldn't expect from the description.
Instruction Scope
SKILL.md documents only the Facebook auth flow and npm install, but it does not mention the X-digest scripts, their required environment variables (AUTH_TOKEN, CT0), or the dependency on an external 'bird' CLI. SKILL.md also states tokens are saved to ~/.config/fbpage/tokens.json, while auth.js actually writes tokens.json into the skill directory — a concrete mismatch. The instructions therefore omit actions and secrets that the included code requires.
Install Mechanism
There is no formal install spec (instruction-only), which is lower risk in general, and the Node dependencies (commander, dotenv) are standard. However the x_digest scripts call an external binary named 'bird' via execFileSync; SKILL.md does not declare that any external binary is required nor its provenance. Requiring an undocumented external binary that will be executed with elevated environment variables increases risk.
Credentials
env_example.md and SKILL.md only document META_APP_ID / META_APP_SECRET, but the code requires additional secrets: the x_digest scripts require AUTH_TOKEN and CT0 (X cookies). The skill does not declare these env requirements in its metadata. Also the SKILL.md claims tokens are saved to ~/.config/fbpage/tokens.json but auth.js writes tokens.json into the skill directory — inconsistent handling of credential storage. Requesting X cookies is disproportionate to the advertised purpose unless the user explicitly wants automated X→Facebook posting.
Persistence & Privilege
The skill is not always-enabled and is user-invocable (normal). But it writes tokens.json to disk (in the skill directory), downloads remote images to /tmp, and executes an external 'bird' binary while injecting sensitive X cookies into its environment. Executing an external program with sensitive environment variables and writing token files creates a higher blast radius if the invoked binary or the script is malicious or misconfigured.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install facebook-page-manager-1-0-0 - After installation, invoke the skill by name or use
/facebook-page-manager-1-0-0 - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: Manage Facebook Pages with Meta Graph API
- List and select Facebook Pages you manage.
- Post text, image, or link content to Pages.
- View and manage Page posts.
- List, reply to, hide, or delete comments on posts.
- Includes setup instructions for app creation, OAuth, and permissions.
Metadata
Frequently Asked Questions
What is Facebook Page Manager 1.0.0?
Manage Facebook Pages via Meta Graph API. Post content (text, photos, links), list posts, manage comments (list/reply/hide/delete). Use when user wants to pu... It is an AI Agent Skill for Claude Code / OpenClaw, with 490 downloads so far.
How do I install Facebook Page Manager 1.0.0?
Run "/install facebook-page-manager-1-0-0" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Facebook Page Manager 1.0.0 free?
Yes, Facebook Page Manager 1.0.0 is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Facebook Page Manager 1.0.0 support?
Facebook Page Manager 1.0.0 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Facebook Page Manager 1.0.0?
It is built and maintained by Lougazi (@loui1979); the current version is v1.0.0.
More Skills