← 返回 Skills 市场
709
总下载
2
收藏
2
当前安装
17
版本数
在 OpenClaw 中安装
/install facebook-page
功能描述
Facebook Page manager: post, schedule, reply, get insights & more. Requires: powershell/pwsh. Reads ~/.config/fb-page/credentials.json (FB_PAGE_TOKEN, FB_PAG...
使用说明 (SKILL.md)
facebook-page — Universal Meta Graph API Skill
Constructs and executes Meta Graph API calls inline based on what the user wants. No scripts needed.
API version: v25.0
Base URL: https://graph.facebook.com/v25.0
STEP 1 — Load Credentials
Credentials are stored in ~/.config/fb-page/credentials.json.
$cfg = Get-Content "$HOME/.config/fb-page/credentials.json" -Raw | ConvertFrom-Json
$token = $cfg.FB_PAGE_TOKEN
$pageId = $cfg.FB_PAGE_ID
If the file doesn't exist, guide setup. Required fields:
| Field | Purpose |
|---|---|
FB_PAGE_TOKEN |
Never-expiring Page access token — used for all API calls |
FB_PAGE_ID |
Numeric Facebook Page ID |
FB_APP_ID |
Meta App ID — only needed during token exchange |
FB_APP_SECRET |
Meta App Secret — only needed during token exchange |
One-time token exchange setup:
# Provide: $appId, $appSecret, $shortToken (from Graph API Explorer), $pageId
# 1. Exchange for long-lived user token
$r1 = Invoke-RestMethod "https://graph.facebook.com/oauth/access_token?grant_type=fb_exchange_token&client_id=$appId&client_secret=$appSecret&fb_exchange_token=$shortToken"
# 2. Get never-expiring Page token
$r2 = Invoke-RestMethod "https://graph.facebook.com/v25.0/$pageId?fields=access_token&access_token=$($r1.access_token)"
$pageToken = $r2.access_token
# 3. Save — only these four fields, nothing else
@{
FB_PAGE_ID = $pageId
FB_PAGE_TOKEN = $pageToken
FB_APP_ID = $appId
FB_APP_SECRET = $appSecret
} | ConvertTo-Json | Set-Content "$HOME/.config/fb-page/credentials.json" -Encoding UTF8
Restrict file permissions immediately after saving:
# Windows
icacls "$HOME/.config/fb-page/credentials.json" /inheritance:r /grant:r "$($env:USERNAME):(R,W)"
# macOS / Linux
# chmod 600 ~/.config/fb-page/credentials.json
âš ï¸ Never commit this file to version control. It contains long-lived secrets. This skill makes no external calls other than to
graph.facebook.com. No data is forwarded to third parties.
STEP 2 — Figure Out the API Call
Common Endpoints
| What user wants | Method | Endpoint |
|---|---|---|
| Post text | POST | /$pageId/feed — body: message |
| Post with image | POST | /$pageId/photos — multipart: source + message |
| Post with video | POST | /$pageId/videos — multipart: source + description |
| Post with link | POST | /$pageId/feed — body: message + link |
| Delete a post | DELETE | /{post-id} |
| Schedule a post | POST | /$pageId/feed — body: message + published=false + scheduled_publish_time (unix timestamp) |
| Get recent posts | GET | /$pageId/published_posts?fields=id,message,created_time&limit=10 |
| Get page info | GET | /$pageId?fields=name,fan_count,followers_count,about |
| Like a post | POST | /{post-id}/likes |
| Get comments | GET | /{post-id}/comments?fields=message,from,created_time |
| Reply to comment | POST | /{comment-id}/comments — body: message |
| Hide comment | POST | /{comment-id} — body: is_hidden=true |
| Delete comment | DELETE | /{comment-id} |
| Get page insights | GET | /$pageId/insights?metric=page_fans,page_impressions&period=day |
| Get post insights | GET | /{post-id}/insights?metric=post_impressions,post_reactions_by_type_total |
| List events | GET | /$pageId/events?fields=name,start_time,description |
| Create event | POST | /$pageId/events — body: name, start_time, description |
| List albums | GET | /$pageId/albums?fields=name,count |
| Get page roles | GET | /$pageId/roles |
| Publish draft post | POST | /{post-id} — body: is_published=true |
API Call Patterns
GET:
$result = Invoke-RestMethod -Uri "https://graph.facebook.com/v25.0/ENDPOINT?access_token=$token" -ErrorAction Stop
POST (form body):
$result = Invoke-RestMethod -Uri "https://graph.facebook.com/v25.0/ENDPOINT" -Method POST `
-Body @{ field1="value1"; field2="value2"; access_token=$token } -ErrorAction Stop
DELETE:
$result = Invoke-RestMethod -Uri "https://graph.facebook.com/v25.0/{id}?access_token=$token" -Method DELETE -ErrorAction Stop
Multipart (image/video upload):
$boundary = [System.Guid]::NewGuid().ToString()
$fileBytes = [System.IO.File]::ReadAllBytes($filePath)
$fileName = [System.IO.Path]::GetFileName($filePath)
$stream = New-Object System.IO.MemoryStream
$writer = New-Object System.IO.StreamWriter($stream)
$writer.Write("--$boundary`r`nContent-Disposition: form-data; name=`"message`"`r`n`r`n$message`r`n")
$writer.Write("--$boundary`r`nContent-Disposition: form-data; name=`"access_token`"`r`n`r`n$token`r`n")
$writer.Write("--$boundary`r`nContent-Disposition: form-data; name=`"source`"; filename=`"$fileName`"`r`nContent-Type: image/jpeg`r`n`r`n")
$writer.Flush(); $stream.Write($fileBytes, 0, $fileBytes.Length)
$writer.Write("`r`n--$boundary--`r`n"); $writer.Flush()
$result = Invoke-RestMethod -Uri "https://graph.facebook.com/v25.0/$pageId/photos" -Method POST `
-ContentType "multipart/form-data; boundary=$boundary" -Body $stream.ToArray() -ErrorAction Stop
Scheduled post — convert local time to Unix timestamp:
$runAt = [datetime]"2026-03-15 09:00"
$unixTime = [int][double]::Parse(($runAt.ToUniversalTime() - [datetime]"1970-01-01").TotalSeconds)
$result = Invoke-RestMethod -Uri "https://graph.facebook.com/v25.0/$pageId/feed" -Method POST `
-Body @{ message="text"; published="false"; scheduled_publish_time=$unixTime; access_token=$token } -ErrorAction Stop
STEP 3 — Handle Errors
try {
# ... API call ...
} catch {
$err = $_.ErrorDetails.Message | ConvertFrom-Json -ErrorAction SilentlyContinue
$code = $err.error.code
$subcode = $err.error.error_subcode
$msg = $err.error.message
}
| Code | Subcode | Meaning | Fix |
|---|---|---|---|
| 100 | — | Invalid parameter | Check the parameter values |
| 102 | — | Session expired | Re-run setup to get a new token |
| 190 | 460 | Token expired | Re-run setup with a new short-lived token |
| 190 | 467 | Invalid token | Re-run setup |
| 200 | — | Permission denied | Add the permission listed in error.message to your app |
| 10 | — | Permission denied (page) | Add pages_read_engagement or pages_manage_posts |
| 230 | — | Requires re-auth | Re-run setup |
| 368 | — | Temporarily blocked | Wait and retry; page may be rate-limited |
Permissions Reference
| Permission | Required for |
|---|---|
pages_manage_posts |
Create, delete, schedule posts |
pages_read_engagement |
Read posts, likes, comments, insights |
pages_show_list |
List pages you manage |
pages_manage_metadata |
Update page settings |
pages_manage_engagement |
Moderate comments, reply to reviews |
pages_read_user_content |
Read visitor posts and comments |
pages_manage_ads |
Manage ad campaigns on the page |
pages_manage_instant_articles |
Manage Instant Articles |
If a permission is missing:
- Go to Meta for Developers
- Select your app → Permissions and Features
- Add the required permission
- Regenerate token via Graph API Explorer
- Re-run setup with the new token
AGENT RULES
- Always load credentials first. If missing or incomplete, guide setup.
- Only use
FB_PAGE_TOKENandFB_PAGE_IDfor API calls.FB_APP_IDandFB_APP_SECRETare for token exchange only. - Never write extra fields to the credentials file (no owner IDs, conv IDs, or third-party keys).
- Remove FB_APP_SECRET from credentials.json after token exchange — it is not needed for API calls.
- Least-privilege: only request the permissions your use case needs. Do not request
pages_manage_adsorpages_manage_instant_articlesunless explicitly needed. - Rotate FB_PAGE_TOKEN periodically via Graph API Explorer, and immediately if the host is ever compromised.
- All API calls go to
graph.facebook.comonly. No external forwarding, no third-party services. - Construct API calls inline from user intent — don't look for script files.
- On any error: parse
error.code+error.error_subcode, map to the table above, tell the user exactly what to do. - If a permission is missing: name it, link to Meta for Developers, say to re-run setup.\r
安全使用建议
This skill appears internally consistent with a Facebook Page manager, but pay attention to provenance and secret handling before installing:
- Confirm you trust the skill source (no homepage and unknown source are signals to verify the publisher before use).
- The skill requires a Page access token (FB_PAGE_TOKEN) and Page ID stored at ~/.config/fb-page/credentials.json. That file contains sensitive, long-lived credentials — follow the SKILL.md advice: restrict file permissions (chmod 600 / icacls) and do not commit it to version control.
- The one-time token exchange uses FB_APP_SECRET; store that only temporarily and delete it afterward as instructed.
- Review and grant only the minimal Graph API permissions the skill needs (pages_manage_posts, pages_read_engagement, etc.).
- Be aware the skill can perform destructive actions (delete posts/comments). Require explicit confirmation when the agent asks to perform destructive operations.
- If you have doubts about provenance, run the skill in an isolated environment or test with a throwaway Page and tokens you can revoke, and rotate tokens immediately after testing.
功能分析
Type: OpenClaw Skill
Name: facebook-page
Version: 1.0.16
The skill is designed for legitimate Facebook Page management, explicitly limiting network calls to `graph.facebook.com` and providing security-conscious instructions for handling credentials (e.g., removing `FB_APP_SECRET`, restricting file permissions). However, the core functionality involves the AI agent constructing and executing PowerShell commands (`Invoke-RestMethod`, `Get-Content`, `Set-Content`) based on user input. This pattern, while necessary for the skill's purpose, introduces a significant vulnerability for command injection if the agent's input sanitization is imperfect, as user-controlled strings could be interpolated directly into shell commands. This is a vulnerability in the execution model rather than intentional malice within the skill's instructions, hence 'suspicious'.
能力评估
Purpose & Capability
Name/description (Facebook Page manager) aligns with requested artifacts: it requires PowerShell and a credentials file containing FB_PAGE_TOKEN and FB_PAGE_ID. No unrelated cloud credentials, other service keys, or unrelated binaries are requested.
Instruction Scope
Runtime instructions are narrowly scoped to: (1) read ~/.config/fb-page/credentials.json, (2) optionally perform a one-time token exchange using FB_APP_ID/FB_APP_SECRET, and (3) construct Invoke-RestMethod calls to graph.facebook.com endpoints. The SKILL.md explicitly limits external calls to graph.facebook.com only. Caution: it instructs storing FB_APP_SECRET in the same credentials file temporarily for token exchange (and to delete it afterward). The skill also includes examples for destructive actions (delete posts/comments) which are legitimate for the stated purpose but warrant user confirmation before execution.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. It only requires that powershell/pwsh be available on the host; nothing is downloaded or written by an install step.
Credentials
No environment variables are required. The declared primary credential is a local file (~/.config/fb-page/credentials.json) containing FB_PAGE_TOKEN and FB_PAGE_ID (required) and optional FB_APP_ID/FB_APP_SECRET for token exchange. This is proportionate to the purpose, but storing long-lived tokens and an app secret on disk is sensitive — the skill documents this and instructs restricting file permissions and deleting the app secret after use.
Persistence & Privilege
always:false (not force-included). disable-model-invocation:false is the normal default (agent may call the skill autonomously). The skill does not request persistent system-wide privileges or modify other skills' configs.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install facebook-page - 安装完成后,直接呼叫该 Skill 的名称或使用
/facebook-page触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.16
Improved description for discoverability
v1.0.15
Fix scanner: move required binaries (powershell/pwsh) and credentials path to start of description so they appear in registry summary. Add metadata.openclaw.requires.anyBins for load-time OS gating.
v1.0.14
Fix critical: missing closing --- in SKILL.md frontmatter caused OpenClaw to fail parsing the skill entirely (not detected by openclaw skills list). Added closing --- after metadata line.
v1.0.13
Fix ownerId mismatch: use registry userId (not handle) in _meta.json so registry owner verification passes.
v1.0.12
Fix metadata inconsistency: move credential requirements into description (the only registry-surfaced field) so scanner can verify them. Credential file path, required fields, APP_SECRET deletion guidance, and rotation policy now visible at registry level.
v1.0.11
Fix: declare requiredConfigPaths and primaryCredential correctly in _meta.json so registry surfaces them. Add required/optional field split. Guidance to delete FB_APP_SECRET after token exchange. Least-privilege token notes. Rotation guidance.
v1.0.10
Remove always:true from metadata (scanner inconsistency fix). Skills with no always flag are eligible by default. Enable via openclaw.json skills.entries instead.
v1.0.9
Add metadata.openclaw with always:true so OpenClaw always loads this skill in the agent prompt
v1.0.8
Clean frontmatter to name+description only (per skill spec). Move all credential declarations to _meta.json top-level fields: requiredEnvVars, requiredConfigPaths, primaryCredential.
v1.0.7
Fix metadata schema: use correct clawdbot inline JSON format with bins/credentials fields matching registry expectations. Slim _meta.json to match platform convention.
v1.0.6
Rewrite README to remove all references to background listener, Telegram forwarding, and FB_OWNER_* fields. Align README, SKILL.md, and _meta.json. Fix binary metadata mismatch.
v1.0.5
Fix security warnings: declare all credential fields in metadata, remove unexplained owner fields, add file permission guidance, clarify no external forwarding
v1.0.4
- Removed setup and troubleshooting documentation files.
- SKILL.md no longer references how to read or reply to page inbox/conversations.
- Messaging-related API endpoints and instructions have been omitted in documentation, focusing on core page management features.
- Error handling and permission tables are streamlined to match available features.
- Overall, skill documentation is now more concise, focusing on main Facebook Page API workflows.
v1.0.3
No user-facing changes in this version.
- No file changes detected.
- Functionality and documentation remain unchanged from previous version.
v1.0.2
- No code or content changes; version bump only.
- All functionality and documentation remain unchanged.
v1.0.1
- Added initial README.md file with documentation and setup instructions.
- No code changes; documentation only.
v1.0.0
Initial release: universal Facebook Page management via Meta Graph API.
- Handle all Facebook Page tasks (posting, scheduling, inbox, events, moderation, insights) using dynamic API calls.
- Auto-detect correct Graph API endpoint and method from user request; no fixed commands needed.
- Guides user through Page access token setup, including conversion to a never-expiring token.
- Provides clear error messages and exact permission requirements if API calls fail.
- Includes step-by-step PowerShell code reference for all supported actions.
元数据
常见问题
Facebook Page 是什么?
Facebook Page manager: post, schedule, reply, get insights & more. Requires: powershell/pwsh. Reads ~/.config/fb-page/credentials.json (FB_PAGE_TOKEN, FB_PAG... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 709 次。
如何安装 Facebook Page?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install facebook-page」即可一键安装,无需额外配置。
Facebook Page 是免费的吗?
是的,Facebook Page 完全免费(开源免费),可自由下载、安装和使用。
Facebook Page 支持哪些平台?
Facebook Page 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Facebook Page?
由 seph(@seph1709)开发并维护,当前版本 v1.0.16。
推荐 Skills