← 返回 Skills 市场
pawanshekhawat

AI Instagram Auto Poster

作者 Pawan Shekhawat · GitHub ↗ · v1.0.7 · MIT-0
cross-platform ⚠ suspicious
149
总下载
0
收藏
0
当前安装
8
版本数
在 OpenClaw 中安装
/install instagram-auto-posting
功能描述
Automate creation and direct posting of promotional images to Instagram Business accounts using Meta Graph API without third-party schedulers or paid tools.
使用说明 (SKILL.md)

\r \r

Instagram Posting Pipeline\r

\r End-to-end Instagram automation pipeline. Generate professional promotional images and publish them automatically to any Instagram Business account — no third-party automation tools needed.\r \r

Skill Scope\r

\r

  • Generate promotional images (text + branding overlays, 1080×1350)\r
  • Upload images to Cloudinary for public hosting\r
  • Publish to Instagram via Meta Graph API\r
  • Optional: extract business info from a public website URL\r \r Not in scope: scraping private/internal networks, storing credentials externally, third-party data sharing.\r \r

Install Model\r

\r Instruction-driven skill — all scripts are bundled in the package. No external binaries, installers, or runtime dependencies beyond Python 3.8+ and Pillow. Place the scripts/ folder alongside the skill and configure env vars to use.\r \r

Pipeline Flow\r

\r

Business info (name, details, website URL)\r
    → scrape_business.py (optional — auto-extract from website)\r
    → generate_course_promo.py\r
    → upload_cloudinary.py\r
    → post_to_instagram.py\r
    → Instagram post URL\r
```\r
\r
## Data Extraction (Optional)\r
\r
`scrape_business.py` fetches a **user-provided public URL** to extract business info — name, tagline, services, contact — for auto-generating content.\r
\r
**What it does:**\r
- Makes an outbound HTTP(S) request to the provided URL\r
- Parses the HTML response using Python's built-in `html.parser`\r
- Extracts title, meta description, H1 tags, paragraphs, and contact patterns\r
- Returns structured data to populate the image generation prompt\r
- May extract email and phone if publicly available\r
\r
**What it does NOT do:**\r
- Does not follow redirects to third-party domains (all 3xx responses are blocked)\r
- Does not access internal/private networks\r
- Does not store or retransmit scraped data\r
\r
> Do not provide internal/private URLs (e.g. `localhost`, `192.168.x.x`, `10.x.x.x`). SSRF protections enforced: DNS resolution + private-IP blocking (via `ipaddress` module), SSL certificate verification, scheme/hostname allowlist, and **all redirects are explicitly blocked** (no following 3xx responses to any destination).\r
\r
## Environment Setup\r
\r
Before using, set these environment variables:\r
\r
```bash\r
# Meta Graph API (required)\r
export IG_ACCESS_TOKEN="your_page_access_token"\r
export IG_BUSINESS_ACCOUNT_ID="your_ig_business_account_id"\r
export IG_DEFAULT_CAPTION="Your default caption"\r
\r
# Cloudinary (required — create your own free account)\r
# No default credentials are used — you must set up your own\r
export CLOUDINARY_CLOUD_NAME="your_cloud_name"\r
export CLOUDINARY_UPLOAD_PRESET="your_unsigned_preset"\r
export CLOUDINARY_FOLDER="mybusiness"\r
\r
# Image output (optional)\r
export IG_PIPELINE_OUTPUT_DIR="./output"\r
```\r
\r
## Security & Credentials\r
\r
**Your credentials stay yours.**\r
\r
- Tokens are **user-provided at runtime** (environment variables)\r
- Tokens are **never stored externally** or sent to any third-party service\r
- Tokens are **used only during execution** and never persisted\r
- SSL/TLS verification is enforced on all outbound requests\r
- Use least-privilege and test accounts during evaluation\r
- Never log tokens — only non-sensitive metadata is logged\r
\r
**Cloudinary hardening recommendation:**\r
Prefer signed upload presets, or restrict unsigned presets by folder/origin in your Cloudinary dashboard.\r
\r
### Getting Credentials\r
\r
**Access Token:**\r
1. Go to https://developers.facebook.com/tools/explorer/\r
2. Select your Facebook App (must have `instagram_content_publish` and `pages_read_engagement` permissions)\r
3. Generate token for your Page\r
4. Grant `pages_read_engagement`, `instagram_content_publish`\r
\r
**IG Business Account ID:**\r
- Found in Meta Business Suite → Instagram settings → Account ID\r
\r
## Step-by-Step Usage\r
\r
### Step 1: Generate Image\r
\r
```python\r
from generate_course_promo import generate_course_promo\r
\r
path = generate_course_promo(\r
    course_name="Diploma in Artificial Intelligence",\r
    institution="CADDESK Centre",\r
    duration="90 Weeks",\r
    bullets=[\r
        "Machine Learning & Data Science",\r
        "Building Intelligent Systems",\r
        "Algorithm Development",\r
        "Real-World AI Projects",\r
    ],\r
    hook_lines=["Your Future in AI", "Starts Here."],\r
    cta_text="Ready to shape the future with AI?",\r
    handle="@caddeskcentre",\r
    output_filename="course_promo.png"\r
)\r
```\r
\r
CLI:\r
```bash\r
python scripts/generate_course_promo.py\r
```\r
\r
### Step 2: Upload to Cloudinary\r
\r
```bash\r
python scripts/upload_cloudinary.py \x3Cimage_path> [folder]\r
```\r
\r
Returns a public URL like `https://res.cloudinary.com/image/upload/xyz.png`\r
\r
### Step 3: Post to Instagram\r
\r
```bash\r
python scripts/post_to_instagram.py \x3Cimage_url> \x3Ccaption>\r
```\r
\r
Or programmatically:\r
\r
```python\r
from post_to_instagram import post_to_instagram\r
\r
success, post_id, ig_url = post_to_instagram(\r
    image_url="https://res.cloudinary.com/image/upload/xyz.png",\r
    caption="Your caption with #hashtags"\r
)\r
```\r
\r
## Caption Structure\r
\r
```\r
[HOOK - bold claim or question, 1-2 lines]\r
[VALUE - what they'll learn/achieve]\r
[CTA - link in bio / DM to enroll / visit website]\r
[8-15 hashtags - mix of broad + niche]\r
```\r
\r
## Troubleshooting\r
\r
| Error | Fix |\r
|-------|-----|\r
| `401 Invalid OAuth` | Token expired — regenerate at Graph API Explorer |\r
| `IG token format error` | Use Page Access Token, not IG-only token |\r
| `image_url required` | Image not publicly accessible — upload to Cloudinary first |\r
| `403 Forbidden` | App not in Live mode or `instagram_content_publish` permission not approved |\r
| `Cloudinary 400` | Image too large (>10MB), unsupported format, or credentials not configured |\r
| `IG account not found` | Account not set as Business/Creator mode in Meta |\r
| Scrape returns None | Website uses JS rendering — provide details manually |\r
\r
## Multiple Accounts\r
\r
To switch between IG accounts, update environment variables before each post:\r
\r
```bash\r
export IG_ACCESS_TOKEN="token_for_account_a"\r
export IG_BUSINESS_ACCOUNT_ID="ig_id_account_a"\r
python scripts/post_to_instagram.py \x3Curl> \x3Ccaption>\r
```\r
安全使用建议
This package is mostly coherent with its stated purpose but there are a few things to check before using it: - Configuration mismatch: The registry metadata claims no required env vars, but the SKILL.md and scripts require IG_ACCESS_TOKEN, IG_BUSINESS_ACCOUNT_ID, CLOUDINARY_CLOUD_NAME, and CLOUDINARY_UPLOAD_PRESET. Make sure you set those environment variables before running. - Use least-privilege/test tokens: For Meta/Instagram, create and test with a Page access token tied to a test Page or app with the minimum required permissions (instagram_content_publish, pages_read_engagement). Do not use owner/root/long-lived tokens for initial testing. - Protect Cloudinary uploads: Prefer signed upload presets or restrict unsigned presets by folder/origin in your Cloudinary dashboard. Unsigned presets can allow public uploads and could expose your images or be abused. - Scraper safety: Only provide public, trusted URLs. The scraper enforces SSRF protections (DNS checks, redirect blocking, TLS verification) but it will extract publicly visible emails/phones from a page; do not supply URLs that expose PII you do not want handled. - Review and run locally first: Because the package is instruction-driven with bundled scripts, inspect the code (you have it) and run in an isolated environment before granting access in production. Confirm the scripts behave as you expect (e.g., the Instagram publish flow using your tokens). If these concerns are acceptable and you follow the hardening advice (signed Cloudinary preset, least-privilege test token, avoid private URLs), the skill appears to implement the functionality it advertises. If the registry metadata were corrected to list the required env vars, the coherence would improve.
功能分析
Type: OpenClaw Skill Name: instagram-auto-posting Version: 1.0.7 The skill bundle provides an Instagram automation pipeline with capabilities for web scraping, image generation, and social media posting. While the code appears to have a benign intent, the scraping script (scripts/scrape_business.py) contains a significant SSRF vulnerability; although it attempts to validate hostnames and IP addresses, it resolves the DNS twice (once for validation and once for the request), making it susceptible to DNS rebinding attacks. Additionally, the bundle handles sensitive Meta Graph API and Cloudinary credentials via environment variables, which is standard but carries inherent risk if the environment is compromised. The presence of a truncated duplicate function in scrape_business.py suggests unintentional coding errors rather than malice.
能力标签
cryptorequires-oauth-token
能力评估
Purpose & Capability
The skill's name/description (auto-posting to Instagram Business) aligns with the provided scripts: image generator, Cloudinary uploader, website scraper, and Instagram poster. However the registry metadata lists no required environment variables or primary credential while SKILL.md and the code require IG_ACCESS_TOKEN, IG_BUSINESS_ACCOUNT_ID, CLOUDINARY_CLOUD_NAME, and CLOUDINARY_UPLOAD_PRESET — a mismatch that could lead to unexpected runtime failures or misconfiguration.
Instruction Scope
SKILL.md and the scripts keep scope to the stated pipeline (optional public website scrape → image generation → Cloudinary upload → Graph API publish). The scraper accepts a user-provided public URL and extracts title/meta/H1/paragraph text and public contact patterns; the code implements multiple SSRF protections (scheme checks, DNS resolution to ensure public IPs, redirect blocking, TLS verification). Still, the scraper will extract and return any publicly exposed emails/phones from a site — expected for the feature but something to be aware of if you pass URLs containing sensitive or PII inadvertently.
Install Mechanism
This is an instruction-driven skill bundled with Python scripts (no installer). No external arbitrary downloads are used. The only non-stdlib runtime dependency is Pillow (documented). No code is fetched from third-party URLs during install.
Credentials
The environment variables required by the pipeline (IG_ACCESS_TOKEN, IG_BUSINESS_ACCOUNT_ID, CLOUDINARY_CLOUD_NAME, CLOUDINARY_UPLOAD_PRESET) are appropriate for the stated functionality, but they are not reflected in the registry 'Required env vars' metadata — an incoherence. Cloudinary upload preset usage can be unsigned and thus publicly writable; the SKILL.md warns about this, but if you use an unsigned preset your uploads could be exposed or abused. The number and type of secrets requested is otherwise proportionate to the task (Instagram tokens and Cloudinary settings).
Persistence & Privilege
The skill is not set to always:true and does not modify other skills or system-wide configuration. The scripts read environment variables at runtime and do not persist tokens or store them externally according to the code and SKILL.md.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install instagram-auto-posting
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /instagram-auto-posting 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.7
- Security improvements: scraping step now explicitly blocks all HTTP(S) redirects, adding another layer of SSRF protection. - Documentation updates to clarify that all 3xx responses are blocked—no redirects are ever followed during web scraping. - Minor clarification in Cloudinary instructions (no default credentials used). - Added mention that public email and phone extraction may occur where available.
v1.0.6
- Improved documentation for data extraction and security, emphasizing outbound scraping safety and credential protection. - Clarified skill requirements: now explicitly states instruction-driven usage and Python environment details. - Updated Data Extraction section with step-by-step explanation and added outbound HTTP(S) and SSRF hardening details. - Added installation, Cloudinary security recommendations, and clear warnings about not providing private/internal URLs. - Expanded Security & Credentials section with best-practices and new advice for Cloudinary upload presets. - No changes to core functionality, API, or scripts.
v1.0.5
**Major change: Core Instagram auto-posting scripts removed from this version.** - Removed all core automation scripts: generate_course_promo.py, post_to_instagram.py, scrape_business.py, upload_cloudinary.py. - Instagram posting pipeline is no longer functional in this version. - Now only documentation and configuration metadata remain.
v1.0.4
- Cleaned up documentation for clarity and brevity; removed detailed setup guides and Q&A, focusing on quick integration. - Updated skill description and usage to emphasize key use-cases and expected command triggers. - Summarized environment variable setup, keeping only essential credential instructions. - Provided clear, sequential steps: generate image, upload to Cloudinary, post to Instagram. - Added focused troubleshooting table for common posting/auth errors. - Explained caption best practices and multi-account handling.
v1.0.3
- Added compiled Python cache file: `scripts/__pycache__/scrape_business.cpython-310.pyc` - Documentation update in SKILL.md: environment variable requirements are now clearly listed in a dedicated section at the top. - No changes to core functionality or source code.
v1.0.2
- Cloudinary configuration updated: users must now provide their own free Cloudinary account details, replacing the previous demo default. - Documentation clarified to reflect user responsibility for Cloudinary credentials and image hosting. - References to the "demo" Cloudinary preset have been removed; users are encouraged to use their own securely configured presets. - No changes made to code or functionality; documentation and setup instructions improved for clarity and security.
v1.0.1
- Added security recommendations: use a private Cloudinary account with signed uploads, and test with non-production Instagram accounts where possible. - Updated documentation in SKILL.md to highlight best practices for secure image hosting and safer development/testing setup. - No code changes; documentation improvements only.
v1.0.0
Initial release: End-to-end Instagram automation using official Meta API, with AI-powered promo image generation. - Automates Instagram posting for any business via the Meta Graph API—no third-party tools or schedulers needed. - Accepts simple business details or a website URL for automatic info extraction. - Generates promo images, uploads them to Cloudinary, and posts directly to Instagram Business accounts. - Keeps user credentials secure; no tokens are stored or shared. - 100% free with cloud and Meta developer free tiers. - Full setup and usage instructions included for easy onboarding.
元数据
Slug instagram-auto-posting
版本 1.0.7
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 8
常见问题

AI Instagram Auto Poster 是什么?

Automate creation and direct posting of promotional images to Instagram Business accounts using Meta Graph API without third-party schedulers or paid tools. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 149 次。

如何安装 AI Instagram Auto Poster?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install instagram-auto-posting」即可一键安装,无需额外配置。

AI Instagram Auto Poster 是免费的吗?

是的,AI Instagram Auto Poster 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

AI Instagram Auto Poster 支持哪些平台?

AI Instagram Auto Poster 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 AI Instagram Auto Poster?

由 Pawan Shekhawat(@pawanshekhawat)开发并维护,当前版本 v1.0.7。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论