← 返回 Skills 市场

Facebook Graph API Skill (Secure)

Name: Facebook Graph API Skill (Secure)
Author: kevinkom-byte

作者 kevinkom-byte · GitHub ↗ · v1.0.2 · MIT-0

cross-platform ⚠ suspicious

170

总下载

当前安装

版本数

在 OpenClaw 中安装

/install facebook-secure

功能描述

OpenClaw skill for Facebook Graph API workflows focused on Pages posting, comments, and Page management using direct HTTPS requests.

使用说明 (SKILL.md)

Facebook Graph API Skill (Advanced)

Purpose

Provide a production-oriented guide for building Facebook Graph API workflows for Pages: publishing posts, managing comments, and operating Page content safely using direct HTTPS calls.

Best fit

You need Page posting and comment workflows.
You want a professional command design and safe operational guidance.
You prefer direct HTTP requests rather than SDKs.

Not a fit

You need advanced ads or marketing APIs.
You must use complex browser-based OAuth flows.

Quick orientation

Read references/graph-api-overview.md for base URLs, versions, and request patterns.
Read references/page-posting.md for Page publishing workflows and fields.
Read references/comments-moderation.md for comment actions and moderation flows.
Read references/permissions-and-tokens.md for access types and scope guidance.
Read references/webhooks.md for subscriptions and verification steps.
Read references/http-request-templates.md for concrete HTTP request payloads.

Required inputs

Facebook App ID and App Secret.
Target Page ID(s).
Token strategy: user token → Page access token.
Required permissions and review status.

Expected output

A clear Page workflow plan, permissions checklist, and operational guardrails.

Operational notes

Use least-privilege permissions.
Handle rate limits and retries.
Log minimal identifiers only.

Security notes

Never log tokens or app secrets.
Validate webhook signatures.

Credentials & Secret Management

This skill requires the following environment variables to be set:

FB_APP_ID – Your Facebook App ID.
FB_APP_SECRET – Your Facebook App Secret (highly sensitive).
FB_PAGE_ID – The target Facebook Page ID.
FB_ACCESS_TOKEN – A Page access token with sufficient permissions.

Best practices:

Store secrets in a secure vault or environment manager; do not hardcode.
Use different tokens for development and production.
Rotate tokens periodically and after any suspected compromise.
Restrict App Secret access to minimal personnel.

Incident Response

If a token or secret is suspected to be leaked:

Immediately revoke the token in the Facebook Developer Dashboard.
Generate a new Page access token.
Rotate the App Secret if necessary.
Review logs for unauthorized usage.

Authentication

All Graph API calls must include a valid access token either as a query parameter access_token or in the Authorization: Bearer \x3Ctoken> header. See references/http-request-templates.md for examples.

Additional References

references/security-and-secrets.md – Detailed security guidelines.
references/permissions-and-tokens.md now includes environment variable requirements.
references/http-request-templates.md includes authentication patterns.

安全使用建议

The skill's content appears to legitimately describe Facebook Page operations and correctly requests the Page-related secrets it needs. However, there are packaging/metadata mismatches (ownerId, slug, version, and a contradiction about which env vars are required) that reduce confidence in provenance. Before installing: 1) Verify the skill's publisher/owner and origin (do not install if the source is unknown or mismatched). 2) Prefer providing only a Page-scoped access token with minimal scopes (pages_manage_posts/pages_manage_engagement) rather than long-lived app secrets where possible; use short-lived or ephemeral credentials and a secrets manager. 3) Test the skill in an isolated environment and monitor network traffic to confirm it only communicates with graph.facebook.com. 4) If you must supply FB_APP_SECRET, keep it in a vault and rotate it after initial testing. 5) If the metadata inconsistencies persist or the publisher cannot explain them, treat the package as untrusted and avoid installing it.

功能分析

Type: OpenClaw Skill Name: facebook-secure Version: 1.0.2 The skill bundle provides a well-structured and security-conscious set of instructions and templates for interacting with the Facebook Graph API. It includes detailed documentation on authentication, permission management, and security best practices (e.g., avoiding token leakage in logs and validating webhook signatures). No malicious code, data exfiltration patterns, or harmful prompt injection attempts were identified across the files, including SKILL.md and the reference documents.

能力评估

ℹ Purpose & Capability

The skill's name, description, and SKILL.md all describe Page posting, comment moderation, and webhook handling — and the requested credentials (FB_APP_ID, FB_APP_SECRET, FB_PAGE_ID, FB_ACCESS_TOKEN) are reasonable for that purpose. However, top-level registry metadata in the submission summary claims no required env vars while _meta.json and SKILL.md declare the sensitive env vars, and the _meta.json ownerId/slug/version differ from the registry metadata — this inconsistency weakens trust in the package provenance.

✓ Instruction Scope

SKILL.md and the reference documents provide concrete HTTP request templates, webhook validation guidance, and token handling best practices. The instructions do not direct the agent to read unrelated system files or external endpoints beyond Facebook Graph API, nor do they instruct exfiltration of secrets. They explicitly warn not to log tokens and to validate signatures.

✓ Install Mechanism

This is an instruction-only skill with no install spec and no code files to execute. That minimizes installation risk — nothing is downloaded or written by an installer.

⚠ Credentials

The set of environment variables requested (App ID, App Secret, Page ID, Page access token) is appropriate and proportionate for the described functionality. The concern stems from metadata inconsistencies: the provided summary shows 'Required env vars: none', while both SKILL.md and _meta.json require sensitive env vars and declare FB_ACCESS_TOKEN as primaryEnv. Incoherent packaging increases the risk that the skill was repackaged or tampered with, which matters because the skill asks for high-sensitivity secrets.

✓ Persistence & Privilege

The skill does not request always:true and is user-invocable; autonomous invocation is allowed (platform default). It does not request system-level persistence or modify other skills' configs.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install facebook-secure
安装完成后，直接呼叫该 Skill 的名称或使用 /facebook-secure 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.2

Security hardening: env-based credentials, security-and-secrets.md, auth patterns.

元数据

Slug facebook-secure

版本 1.0.2

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题