← 返回 Skills 市场

Facebook Page Manager 1.0.0

Name: Facebook Page Manager 1.0.0
Author: loui1979

作者 Lougazi · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

490

总下载

当前安装

版本数

在 OpenClaw 中安装

/install facebook-page-manager-1-0-0

功能描述

Manage Facebook Pages via Meta Graph API. Post content (text, photos, links), list posts, manage comments (list/reply/hide/delete). Use when user wants to pu...

使用说明 (SKILL.md)

Facebook Page

Skill để quản lý Facebook Page qua Meta Graph API.

Chức năng

List các Page mà user quản lý
Đăng bài (text, ảnh, link)
List bài đăng của Page
List/reply/hide/delete comment

Setup (một lần)

1. Tạo Meta App

Vào https://developers.facebook.com/apps/ → Create App
Chọn "Other" → "Business" (hoặc Consumer tuỳ use-case)
Điền tên app, email
Vào App settings > Basic: lấy App ID và App Secret

2. Cấu hình OAuth

Vào Add Product → thêm Facebook Login
Trong Facebook Login > Settings:
- Valid OAuth Redirect URIs: để trống (dùng manual code flow)
Vào App Roles > Roles → thêm account làm Admin/Developer

3. Cấu hình .env

cd skills/facebook-page
cp .env.example .env
# Edit .env với App ID và Secret

4. Cài dependencies và lấy token

cd scripts
npm install
node auth.js login

Script sẽ:

In ra URL để user mở browser, đăng nhập, approve permissions
User copy URL sau khi approve (chứa code=...)
Paste URL vào terminal
Script exchange code → long-lived token → page tokens
Lưu tokens vào ~/.config/fbpage/tokens.json

Commands

List pages

node cli.js pages

Đăng bài text

node cli.js post create --page PAGE_ID --message "Hello world"

Đăng bài có ảnh

node cli.js post create --page PAGE_ID --message "Caption" --photo /path/to/image.jpg

Đăng bài có link

node cli.js post create --page PAGE_ID --message "Check this out" --link "https://example.com"

List posts

node cli.js post list --page PAGE_ID --limit 10

List comments của post

node cli.js comments list --post POST_ID

Reply comment

node cli.js comments reply --comment COMMENT_ID --message "Thanks!"

Hide comment

node cli.js comments hide --comment COMMENT_ID

Delete comment

node cli.js comments delete --comment COMMENT_ID

Permissions cần thiết

pages_show_list - list pages
pages_read_engagement - đọc posts/comments
pages_manage_posts - đăng/sửa/xoá bài
pages_manage_engagement - quản lý comments

Lưu ý

Token Page không hết hạn (nếu lấy từ long-lived user token)
Không log/print token ra output
App ở Testing mode chỉ hoạt động với accounts trong Roles

安全使用建议

This skill contains mostly-expected Facebook CLI code but also includes two undocumented X→Facebook digest scripts that require X cookies (AUTH_TOKEN, CT0) and an external 'bird' binary. Before installing or running it: 1) Ask the author why the X-digest scripts are bundled and request explicit documentation of required env vars and binaries. 2) Do NOT provide your X cookies (AUTH_TOKEN/CT0) unless you fully trust the author and have audited those scripts. 3) Verify the provenance of any external 'bird' binary before installing; avoid installing unknown executables. 4) Note the tokens file path mismatch (SKILL.md vs actual code); confirm where tokens will be stored and consider storing tokens in a location you control. 5) If you only need FB management, remove or ignore x_digest_*.js files or run the package in an isolated environment (VM/container) and inspect the code yourself. If you want help producing a minimal, audited version that only implements the FB CLI, I can outline the exact files/lines to remove or sanitize.

功能分析

Type: OpenClaw Skill Name: facebook-page-manager-1-0-0 Version: 1.0.0 The skill is classified as suspicious due to a critical arbitrary command execution vulnerability. The scripts `scripts/x_digest_collect.js` and `scripts/x_digest_to_fb.js` use `child_process.execFileSync("bird", ...)` to execute an external, unmanaged binary named 'bird'. This binary is not declared as a dependency, and sensitive environment variables (AUTH_TOKEN, CT0 for X/Twitter) are passed to it, creating a significant RCE risk and potential for credential theft if the 'bird' binary is compromised or manipulated.

能力评估

⚠ Purpose & Capability

The skill advertises Facebook Page management and provides auth/CLI/posting scripts that match that purpose. However, two additional scripts (x_digest_collect.js and x_digest_to_fb.js) perform searches on X and automatically post digests to Facebook. Those X-related capabilities are not documented in SKILL.md (no commands or setup guidance), so the bundle contains extra functionality that a user wouldn't expect from the description.

⚠ Instruction Scope

SKILL.md documents only the Facebook auth flow and npm install, but it does not mention the X-digest scripts, their required environment variables (AUTH_TOKEN, CT0), or the dependency on an external 'bird' CLI. SKILL.md also states tokens are saved to ~/.config/fbpage/tokens.json, while auth.js actually writes tokens.json into the skill directory — a concrete mismatch. The instructions therefore omit actions and secrets that the included code requires.

⚠ Install Mechanism

There is no formal install spec (instruction-only), which is lower risk in general, and the Node dependencies (commander, dotenv) are standard. However the x_digest scripts call an external binary named 'bird' via execFileSync; SKILL.md does not declare that any external binary is required nor its provenance. Requiring an undocumented external binary that will be executed with elevated environment variables increases risk.

⚠ Credentials

env_example.md and SKILL.md only document META_APP_ID / META_APP_SECRET, but the code requires additional secrets: the x_digest scripts require AUTH_TOKEN and CT0 (X cookies). The skill does not declare these env requirements in its metadata. Also the SKILL.md claims tokens are saved to ~/.config/fbpage/tokens.json but auth.js writes tokens.json into the skill directory — inconsistent handling of credential storage. Requesting X cookies is disproportionate to the advertised purpose unless the user explicitly wants automated X→Facebook posting.

⚠ Persistence & Privilege

The skill is not always-enabled and is user-invocable (normal). But it writes tokens.json to disk (in the skill directory), downloads remote images to /tmp, and executes an external 'bird' binary while injecting sensitive X cookies into its environment. Executing an external program with sensitive environment variables and writing token files creates a higher blast radius if the invoked binary or the script is malicious or misconfigured.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install facebook-page-manager-1-0-0
安装完成后，直接呼叫该 Skill 的名称或使用 /facebook-page-manager-1-0-0 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release: Manage Facebook Pages with Meta Graph API - List and select Facebook Pages you manage. - Post text, image, or link content to Pages. - View and manage Page posts. - List, reply to, hide, or delete comments on posts. - Includes setup instructions for app creation, OAuth, and permissions.

元数据

Slug facebook-page-manager-1-0-0

版本 1.0.0

许可证 —

累计安装 1

当前安装数 1

历史版本数 1

常见问题