功能描述

CREDENTIALS REQUIRED: FB_COOKIE_FILE (Facebook session cookies JSON — treat as password), FB_STATE_FILE (Playwright state path, writable). Optional: FB_DRY_R...

使用说明 (SKILL.md)

FB Group Scanner Skill

Name: Facebook Humanistic Profile Control
Author: joelsalespossible

Scan Facebook groups for targeted posts and auto-comment using undetected browser automation.

⚠️ Before You Start

Cookies = credentials. FB_COOKIE_FILE grants full Facebook account access. Store with chmod 600, never commit to git.
Use a dedicated/throwaway FB account — never your personal account.
Dry-run is ON by default (FB_DRY_RUN=true). The skill will scan and log matches but post zero comments until you explicitly set FB_DRY_RUN=false.
Run in a container or VM — not directly on your host machine.
May violate Facebook TOS. You are responsible for compliance.

Environment Variables

Variable	Required	Secret	Description
`FB_COOKIE_FILE`	✅	✅	Path to Facebook cookies JSON (Selenium format). Full account access — treat as password.
`FB_STATE_FILE`	✅	—	Writable path for Playwright storage state (default: `/tmp/fb_state.json`)
`FB_DRY_RUN`	—	—	`true` (default) = scan only. `false` = live commenting.
`FB_USER_AGENT`	—	—	Override browser user agent
`NOTIFY_WEBHOOK`	—	✅	Webhook URL for match alerts. Skipped if unset.

Install

pip install -r scripts/requirements.txt   # patchright from PyPI
python -m patchright install chromium      # Chromium from Playwright distribution

How to Get Cookies

Log in to Facebook in real Chrome (manually, once, dedicated account)
Export all facebook.com cookies as JSON via EditThisCookie or DevTools
Save to the path in FB_COOKIE_FILE with chmod 600

Cookies last ~30–90 days. Re-export manually when expired — no automated re-login included.

Architecture

Patchright browser (stealth Chromium — patches navigator.webdriver + CDP detection)
  └─ Cookie auth (no login form)
       └─ Navigate group feed → intercept GraphQL responses passively
            └─ Filter posts: trigger phrase + topic keyword − exclusions
                 └─ FB_DRY_RUN=true → log match only
                    FB_DRY_RUN=false → human_type() comment + screenshot + webhook

1. Session (scripts/fb_session.py)

Reads FB_COOKIE_FILE and FB_STATE_FILE from environment. Returns (playwright, browser, context, page).

from fb_session import create_session
pw, browser, ctx, page = await create_session()
# Raises RuntimeError if cookies are stale

2. GraphQL Interception

Passively intercept FB's internal API responses — no synthetic clicks, no DOM scraping:

responses = []
async def capture(r):
    if "graphql" in r.url and r.status == 200:
        try: responses.append(await r.json())
        except: pass
page.on("response", capture)
await page.goto(group_url)
await asyncio.sleep(5)

See references/graphql-patterns.md for walking the response tree.

3. Human-Like Behavior (scripts/human_mouse.py)

human_scroll(page) — variable-speed wheel ticks with micro-pauses
human_click(page, x, y) — bezier curve mouse path + hover + hold
human_type(page, text) — variable WPM, occasional typos + backspace
idle_mouse_drift(page) — aimless drift while "reading"
reading_pause(min_s, max_s) — random pre-action sleep

Timing: 3–8s after page load, 50–120s between groups, never back-to-back.

4. User Controls

import os, re

DRY_RUN = os.environ.get("FB_DRY_RUN", "true").lower() == "true"

def redact_pii(text):
    """Strip emails and phone numbers before any external send."""
    text = re.sub(r'[\w.+-]+@[\w-]+\.[a-z]{2,}', '[EMAIL]', text)
    text = re.sub(r'\b\d{3}[-.\s]?\d{3}[-.\s]?\d{4}\b', '[PHONE]', text)
    return text

NOTIFY_WEBHOOK = os.environ.get("NOTIFY_WEBHOOK", "")
if not NOTIFY_WEBHOOK:
    # Skill skips all external notifications when unset
    pass

5. Post Filtering

See references/filter-logic.md — four-stage pipeline:

Trigger phrase — hiring signal ("hiring", "looking for", "seeking", etc.)
Topic keyword — target role ("csm", "client success manager", "retention", etc.)
Job title exclusions — reject different roles in headline (first 200 chars)
Seeking-work exclusions — reject service-offer posts

6. Scheduling

import schedule, time, asyncio
schedule.every().hour.at(":00").do(lambda: asyncio.run(scan_bucket("A")))
schedule.every().hour.at(":30").do(lambda: asyncio.run(scan_bucket("B")))
while True:
    schedule.run_pending()
    time.sleep(30)

8am–11pm only. Track seen posts in SQLite to prevent duplicate comments.

Files

File	Purpose
`scripts/fb_session.py`	Cookie session factory (env vars only, no hardcoded paths)
`scripts/human_mouse.py`	Stealth mouse/scroll/type helpers (bezier curves, variable timing)
`scripts/requirements.txt`	Python dependencies (`patchright>=1.0.0`)
`references/graphql-patterns.md`	FB GraphQL response tree parsing guide
`references/filter-logic.md`	Keyword filter architecture + tuning guide

安全使用建议

This skill is coherent but high-risk by design because it requires Facebook session cookies (FB_COOKIE_FILE), which grant full account control. Only use with a dedicated/throwaway account, store the cookie file with restrictive permissions (chmod 600), and run inside an isolated VM or container. Keep FB_DRY_RUN=true until you have tested filtering thoroughly; do not set FB_DRY_RUN=false unless you explicitly want live posting. Review and control NOTIFY_WEBHOOK — any URL you provide will receive matched data. Audit the patchright package source before installing and avoid using your personal Facebook account to prevent account compromise or TOS violations. If you want to reduce risk, require manual invocation (do not allow autonomous agent use) and inspect logs and outgoing webhook activity before enabling live actions.

功能分析

Type: OpenClaw Skill Name: fb-profile-control Version: 1.0.6 The skill is a Facebook automation tool that requires high-privilege session credentials (FB_COOKIE_FILE) to function. It utilizes 'patchright' (a stealth fork of Playwright) and includes sophisticated human-behavior simulation in 'scripts/human_mouse.py' to evade bot detection. While the code includes a dry-run safety mechanism and PII redaction logic, the handling of session cookies and the storage of browser state in a world-readable location ('/tmp/fb_state.json' in 'scripts/fb_session.py') present significant security risks and potential for account hijacking. No evidence of intentional exfiltration to a third party was found, but the inherent risks of the required credentials and stealth techniques warrant a suspicious classification.

能力评估

✓ Purpose & Capability

Name/description (FB group scanner + auto-comments) match the requested items: python3, FB_COOKIE_FILE (cookie export), FB_STATE_FILE, Patchright/Playwright for a stealth Chromium. The cookie-based auth and Playwright automation are expected for this purpose.

ℹ Instruction Scope

SKILL.md and code instruct the agent to read the cookie file, convert/write a Playwright state file, intercept GraphQL responses, apply filter logic, and optionally post comments and call a webhook. These are within the declared purpose, but the skill can log raw GraphQL responses and (if configured) send notifications to an external webhook — review and control the webhook destination and logs.

✓ Install Mechanism

Install uses pip (patchright from PyPI) and patchright's chromium install (Playwright distribution). This is a typical, traceable mechanism for Python/Playwright tooling; no arbitrary URL downloads or archive extraction from unknown hosts are present.

✓ Credentials

Required env vars are limited and appropriate: FB_COOKIE_FILE (secret, required) and FB_STATE_FILE (writable path). Optional webhook and user-agent overrides are reasonable. No unrelated credentials or excessive secrets are requested.

ℹ Persistence & Privilege

Skill is not always-enabled and does not request system-wide persistent privileges. It writes a Playwright state file and can operate autonomously (default platform behavior). Because the cookie file grants full account access, prefer manual invocation or keep FB_DRY_RUN=true until you intentionally enable live commenting.

版本历史

v1.0.6

No functional code changes in this release. Metadata in SKILL.md improved for clarity: - Added structured environment variable definitions under `primaryEnv` in metadata. - Now explicitly documents which variables are required, their secrecy, and descriptions. - Improved installation and security instructions in documentation. - Skill usage notes clarified for safe and intended operation.

v1.0.5

No code or documentation changes detected in this release. - Version bump only; no changes to code or documentation. - Safe to update — functionality and interface remain identical to previous version.

v1.0.4

- No code or functionality changes in this release. - Internal metadata structure in SKILL.md has been updated: environment variable and install details are now structured as lists of objects. - User-facing documentation and instructions remain unchanged.

v1.0.3

**Added user safety and explicit controls for auto-commenting Facebook group scanner bots.** - Requires dry-run mode by default; live auto-commenting only enabled by explicit opt-in via environment variable. - Documents environment variables clearly, including required/optional settings for credentials, state storage, user agent, notification webhooks, and dry-run mode. - Adds strong user confirmation and notification PII-redaction logic before sending match data to external systems. - Expands install, session, and operational instructions for safer and more transparent deployment. - Updated security and legal warnings with actionable advice on sandboxing, secrets handling, and compliance responsibilities.

v1.0.2

- Added explicit security, legal, and sandboxing warnings for handling Facebook credentials and automation risks. - Expanded metadata: declares required and optional environment variables, installation instructions, and sensitivity level. - Clarified installation steps and recommends container/VM isolation for extra safety. - Emphasized manual cookie export with warnings not to automate or share exported cookies. - Added reminders to review and sanitize any user data or screenshots before sharing externally. - Improved documentation on compliance, account choice, notification safety, and logging practices.

v1.0.1

- Added scripts/requirements.txt file specifying Python dependencies. - Updated documentation to reflect new, explicit requirements installation step using requirements.txt. - No functional code changes; this version only adds dependency tracking for easier setup.

v1.0.0

Initial release: full documented recipe for building a Facebook group scanner and auto-commenter bot. - Provides stealth browsing via Patchright and cookie-based Facebook sessions (no login form). - Details GraphQL interception for efficient post detection (avoiding HTML scraping). - Includes human-like timing, scrolling, and typing behaviors to evade Facebook bot detection. - Implements robust keyword filtering logic, rate-limited auto-commenting, and duplicate prevention using SQLite. - Supports scheduled scans and Slack notifications for matched/commented posts. - Offers guidance on setup, pitfalls, and file organization for building and maintaining the skill.

元数据

Slug fb-profile-control

版本 1.0.6

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 7

常见问题

Facebook Humanistic Profile Control 是什么？

CREDENTIALS REQUIRED: FB_COOKIE_FILE (Facebook session cookies JSON — treat as password), FB_STATE_FILE (Playwright state path, writable). Optional: FB_DRY_R... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 134 次。

如何安装 Facebook Humanistic Profile Control？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install fb-profile-control」即可一键安装，无需额外配置。

Facebook Humanistic Profile Control 是免费的吗？

是的，Facebook Humanistic Profile Control 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Facebook Humanistic Profile Control 支持哪些平台？

Facebook Humanistic Profile Control 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Facebook Humanistic Profile Control？

由 Joel Yi - DeployAIBots.com（@joelsalespossible）开发并维护，当前版本 v1.0.6。

Facebook Humanistic Profile Control