← Back to Skills Marketplace

Techla FB Repost

Name: Techla FB Repost
Author: techlaai

by techlaai · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

388

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install techla-fb-repost

Description

Skill để lấy nội dung từ link bài viết Facebook, viết lại bài theo phong cách phù hợp, tạo ảnh minh họa bằng Gemini, rồi đăng lên Facebook Page qua Graph API...

Usage Guidance

This skill appears to do what it says, but take these precautions before using it: - Metadata mismatch: the registry lists no required env vars or dependencies but SKILL.md and the scripts clearly need APIFY_TOKEN, GEMINI_API_KEY, FB_PAGE_ID and FB_PAGE_ACCESS_TOKEN and a Python runtime with the 'requests' package. Expect to provide those secrets and to have python3 + requests available. - Secret handling: the scripts accept API keys and tokens as command-line arguments. On multi-user systems, command-line arguments can be visible to other users (via ps). Prefer providing tokens via a secure secrets store or environment variables and avoid pasting long-lived page tokens into ephemeral chat entries. - Confirm-before-post: SKILL.md includes a checklist that requires explicit user confirmation before posting. Before enabling the skill for autonomous use, verify the agent actually shows the preview and waits for your confirmation as promised. Don't enable full autonomy unless you trust the skill and have tested it. - Token scope & rotation: Facebook Page tokens can be powerful. Use the minimum-scoped token, test on a throwaway page first, and be prepared to revoke/rotate tokens if you suspect misuse. - Dependency & runtime: ensure python3 and the 'requests' package are installed in the environment the agent will run in. Consider reviewing the code yourself or running it locally to confirm behavior before granting secrets. If you need higher assurance, request the publisher to: (1) update registry metadata to list required env vars and runtime dependencies, (2) switch to reading secrets from environment variables or a secure file rather than CLI args, and (3) provide a provenance/homepage or contact so you can validate the source. If you cannot verify the source or cannot secure the tokens, do not install or run this skill with your production Page token.

Capability Analysis

Type: OpenClaw Skill Name: techla-fb-repost Version: 1.0.0 The skill is classified as suspicious due to a significant shell injection vulnerability. The Python scripts (`scrape_fb.py`, `generate_image.py`, `post_fb.py`) directly use `sys.argv` for arguments like URLs, image prompts, and messages. The `SKILL.md` instructs the OpenClaw agent to execute these scripts via shell commands, passing user-controlled input directly. If the agent fails to properly sanitize or quote these inputs, an attacker could inject arbitrary shell commands, leading to remote code execution. While the skill's stated purpose is benign, this design flaw creates a critical vulnerability.

Capability Assessment

ℹ Purpose & Capability

The skill's actions (Apify scraping, Gemini image generation, Facebook Graph posting) are coherent with the description. However registry metadata declares no required credentials or dependencies while SKILL.md and the scripts clearly require APIFY_TOKEN, GEMINI_API_KEY, FB_PAGE_ID and FB_PAGE_ACCESS_TOKEN and expect Python. That mismatch between declared metadata and actual runtime requirements is an inconsistency you should be aware of.

ℹ Instruction Scope

The SKILL.md clearly limits actions to: call Apify to scrape, call a model (agent) to rewrite, call Gemini for images, and call Facebook Graph API to upload and post. It also includes a checklist requiring user confirmation before posting. No hidden external endpoints appear in the scripts. One scope concern: SKILL.md instructs the agent to 'activate whenever user provides a FB link + asks to repost' — if the agent is permitted to autonomously pick skills, this could cause the skill to be selected often. Also the instructions and scripts take secrets as command-line arguments (exposing them to process listings) instead of using env vars, which is a privacy/security concern.

ℹ Install Mechanism

There is no install spec (instruction-only + shipped scripts), which reduces install-surface risk. But the package includes Python scripts that import the third-party 'requests' library; the skill metadata did not declare a dependency or required binary (python3) or a way to install requests. That omission can cause runtime errors or lead users to manually install packages without guidance.

⚠ Credentials

The credentials requested in SKILL.md (APIFY_TOKEN, GEMINI_API_KEY, FB_PAGE_ID, FB_PAGE_ACCESS_TOKEN) are appropriate for the stated functionality. However the registry metadata lists no required env vars/primary credential — a clear mismatch. Additional concern: scripts accept credentials as CLI arguments which can be exposed via system process listings (ps). The skill also suggests storing secrets in OpenClaw secrets/env vars but does not enforce or demonstrate that; verify how you will supply tokens securely.

✓ Persistence & Privilege

The skill does not request permanent 'always' inclusion and does not modify other skills or system-wide settings. Autonomous invocation is allowed by default on the platform, which is normal; this skill does not add unusual persistence privileges.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install techla-fb-repost
After installation, invoke the skill by name or use /techla-fb-repost
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

fb-repost 1.0.0 — initial release - Supports reposting Facebook posts to a Facebook Page: scrape content, rewrite for page style, auto-generate images (Gemini), post via Graph API. - Works when user supplies any Facebook link and requests reposting/rewriting. - Requires Apify/Gemini/Facebook Page credentials (guidance and env var support included). - Step-by-step workflow: scrape post → analyze/rewrite → generate image → preview → seek confirmation → post. - Built-in error handling and user-friendly confirmation/checklist before publishing.

Metadata

Slug techla-fb-repost

Version 1.0.0

License —

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Techla FB Repost?

Skill để lấy nội dung từ link bài viết Facebook, viết lại bài theo phong cách phù hợp, tạo ảnh minh họa bằng Gemini, rồi đăng lên Facebook Page qua Graph API... It is an AI Agent Skill for Claude Code / OpenClaw, with 388 downloads so far.

How do I install Techla FB Repost?

Run "/install techla-fb-repost" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Techla FB Repost free?

Yes, Techla FB Repost is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Techla FB Repost support?

Techla FB Repost is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Techla FB Repost?

It is built and maintained by techlaai (@techlaai); the current version is v1.0.0.

More Skills