← 返回 Skills 市场

Instagram Api

Name: Instagram Api
Author: lifeissea

作者 Tomas · GitHub ↗ · v1.1.1

cross-platform ⚠ suspicious

1957

总下载

当前安装

版本数

在 OpenClaw 中安装

/install instagram-api

功能描述

Post to Instagram (Feed, Story, Reels, Carousel) and Threads using the official Meta Graph API. Requires Imgur for media hosting.

使用说明 (SKILL.md)

instagram-api

Meta Graph API를 사용해 Instagram과 Threads에 직접 포스팅하는 스킬. 미디어 호스팅은 Imgur API를 사용 (이미지/영상 공개 URL 생성).

Imgur Client ID 발급

Instagram Graph API는 공개 URL로만 미디어를 업로드할 수 있어 Imgur가 필요합니다.

https://api.imgur.com/oauth2/addclient 접속
Application name: 원하는 이름 (예: raon-instagram)
Authorization type: Anonymous usage without user authorization 선택
Authorization callback URL: https://localhost (Anonymous이므로 형식만 맞추면 됨)
이메일 입력 후 제출 → Client ID 확인

환경변수 설정:

export IMGUR_CLIENT_ID="your_client_id_here"

환경변수 설정

# ~/.openclaw/.env 또는 ~/.zshrc에 추가
export INSTAGRAM_ACCESS_TOKEN="your_token_here"
export INSTAGRAM_BUSINESS_ACCOUNT_ID="your_account_id_here"

# Threads (선택)
export THREADS_ACCESS_TOKEN="your_threads_token_here"
export THREADS_USER_ID="your_threads_user_id_here"

# Imgur (이미지 호스팅용 — 피드/릴스 업로드 시 필요)
export IMGUR_CLIENT_ID="your_imgur_client_id_here"

Meta Graph API 토큰 발급

Meta for Developers 접속
앱 생성 → Business 유형 선택
Instagram Graph API 제품 추가
권한 요청:
- instagram_basic
- instagram_content_publish
- pages_read_engagement
Access Token 발급:
- Graph API Explorer: https://developers.facebook.com/tools/explorer/
- 장기 토큰(Long-lived token)으로 교환: 60일 유효

Business Account ID 확인:

curl "https://graph.facebook.com/v21.0/me/accounts?access_token=YOUR_TOKEN"

💡 Imgur Client ID: https://api.imgur.com/oauth2/addclient (Anonymous usage 선택)

스크립트 사용법

피드 포스팅

bash scripts/post-feed.sh \x3C이미지경로> \x3C캡션파일>

# 예시
bash scripts/post-feed.sh ./photo.jpg ./caption.txt

스토리 포스팅

bash scripts/post-story.sh \x3C이미지경로>

# 예시
bash scripts/post-story.sh ./story.jpg

릴스 포스팅

bash scripts/post-reels.sh \x3C영상경로> \x3C캡션파일>

# 예시
bash scripts/post-reels.sh ./reel.mp4 ./caption.txt

캐러셀 포스팅

bash scripts/post-carousel.sh \x3C캡션파일> \x3C이미지1> \x3C이미지2> [이미지3...]

# 예시
bash scripts/post-carousel.sh ./caption.txt ./img1.jpg ./img2.jpg ./img3.jpg

Threads 포스팅

bash scripts/post-threads.sh \x3C캡션파일> [이미지URL]

# 예시 (텍스트만)
bash scripts/post-threads.sh ./caption.txt

# 예시 (이미지 포함)
bash scripts/post-threads.sh ./caption.txt "https://example.com/image.jpg"

파일 구조

instagram-api/
├── SKILL.md                    # 이 파일
└── scripts/
    ├── post-feed.sh            # 피드 포스팅
    ├── post-story.sh           # 스토리 포스팅
    ├── post-reels.sh           # 릴스 포스팅
    ├── post-carousel.sh        # 캐러셀 포스팅
    └── post-threads.sh         # Threads 포스팅

주의사항

Instagram은 공개 URL로만 미디어 업로드 가능 (로컬 파일 직접 업로드 불가)
이 스킬은 Imgur를 통해 임시 공개 URL 생성
릴스 동영상 처리에는 수분 소요될 수 있음
API 호출 실패 시 ~/logs/sns/ 로그 확인

安全使用建议

This skill appears to do what it says (upload media to Imgur and post via Meta Graph/Threads), but exercise caution before installing. Two red flags: (1) post-threads.sh will source ~/.openclaw/.env if present — sourcing a dotfile can execute arbitrary shell commands stored there; ensure that file contains only harmless environment variable exports or remove that line. (2) post-threads.sh calls a hard-coded local script /Users/tomas/.openclaw/.../clean_md.py which is outside the skill bundle; that is likely a leftover development reference and could execute arbitrary local code or read local files. Before use, either remove/replace that call with a bundled or remote-safe routine, or ensure the referenced path is absent or trusted. Also verify you are comfortable providing the Instagram/Threads tokens and Imgur Client ID (they grant posting access). If you proceed, inspect and sanitize the scripts (remove sourcing and hard-coded paths), run them in a restricted account or container, and avoid storing long-lived secrets in shared dotfiles.

功能分析

Type: OpenClaw Skill Name: instagram-api Version: 1.1.1 The `scripts/post-threads.sh` file contains two significant vulnerabilities. First, it uses `source ~/.openclaw/.env`, which executes the `.env` file as a shell script, allowing arbitrary code execution if an attacker can control its content. Second, it calls an external Python script via a hardcoded absolute path (`/Users/tomas/.openclaw/workspace/scripts/utils/clean_md.py`) that is not part of the skill bundle, making the script non-functional and introducing a potential Remote Code Execution (RCE) risk if a malicious script is placed at that specific path. These are critical vulnerabilities, not intentional malice.

能力评估

✓ Purpose & Capability

Name/description (Instagram/Threads posting via Meta Graph and Imgur) aligns with the code: scripts upload media to Imgur and call Meta/Threads Graph endpoints. Required credentials (Instagram token, business account id, Imgur client id) are appropriate for the described functionality.

⚠ Instruction Scope

post-threads.sh sources ~/.openclaw/.env if present and invokes an absolute path (/Users/tomas/.openclaw/workspace/scripts/utils/clean_md.py) to preprocess captions. Sourcing a user dotfile can execute arbitrary commands from the file; calling a hard-coded local script outside the skill bundle is unexpected and could read/process local data or execute arbitrary code. Scripts also write logs to ~/logs/sns — expected, but note creation of local logs.

✓ Install Mechanism

No install spec (instruction-only with included scripts). No remote downloads or extract steps in the skill itself. Scripts rely on python3 available at runtime (embedded inline Python).

ℹ Credentials

Declared required env vars (INSTAGRAM_ACCESS_TOKEN, INSTAGRAM_BUSINESS_ACCOUNT_ID, IMGUR_CLIENT_ID) are proportional to purpose. Threads uses THREADS_ACCESS_TOKEN and THREADS_USER_ID (documented as optional in body but not listed in the top requires_env YAML), which is a minor mismatch. The script's sourcing of ~/.openclaw/.env expands environment access beyond explicit env variables and may load sensitive values or execute code.

✓ Persistence & Privilege

always is false and the skill does not request persistent system-wide privileges. It creates application logs under ~/logs/sns and may source ~/.openclaw/.env, but it does not modify other skills or system configuration.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install instagram-api
安装完成后，直接呼叫该 Skill 的名称或使用 /instagram-api 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.1.1

Auto-update 2026-02-25: maintenance & improvements

v1.1.0

Auto-update 2026-02-22: minor version bump

v1.0.6

Security fix: all urllib calls reviewed; no credentials in scripts

v1.0.5

이름 수정

v1.0.4

이름 수정

v1.0.3

보안패치: source ~/.openclaw/.env 제거

v1.0.2

보안패치: curl → Python urllib 교체

v1.0.1

Fix: clarify Imgur dependency in SKILL.md, add IMGUR_CLIENT_ID to requirements

v1.0.0

Initial release: Feed/Story/Reels/Carousel/Threads posting via official Meta Graph API

元数据

Slug instagram-api

版本 1.1.1

许可证 —

累计安装 7

当前安装数 7

历史版本数 9

常见问题

Instagram Api 是什么？

Post to Instagram (Feed, Story, Reels, Carousel) and Threads using the official Meta Graph API. Requires Imgur for media hosting. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 1957 次。

如何安装 Instagram Api？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install instagram-api」即可一键安装，无需额外配置。

Instagram Api 是免费的吗？

是的，Instagram Api 完全免费（开源免费），可自由下载、安装和使用。

Instagram Api 支持哪些平台？

Instagram Api 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Instagram Api？

由 Tomas（@lifeissea）开发并维护，当前版本 v1.1.1。