← 返回 Skills 市场
techlaai

Techla FB Repost

作者 techlaai · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
388
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install techla-fb-repost
功能描述
Skill để lấy nội dung từ link bài viết Facebook, viết lại bài theo phong cách phù hợp, tạo ảnh minh họa bằng Gemini, rồi đăng lên Facebook Page qua Graph API...
安全使用建议
This skill appears to do what it says, but take these precautions before using it: - Metadata mismatch: the registry lists no required env vars or dependencies but SKILL.md and the scripts clearly need APIFY_TOKEN, GEMINI_API_KEY, FB_PAGE_ID and FB_PAGE_ACCESS_TOKEN and a Python runtime with the 'requests' package. Expect to provide those secrets and to have python3 + requests available. - Secret handling: the scripts accept API keys and tokens as command-line arguments. On multi-user systems, command-line arguments can be visible to other users (via ps). Prefer providing tokens via a secure secrets store or environment variables and avoid pasting long-lived page tokens into ephemeral chat entries. - Confirm-before-post: SKILL.md includes a checklist that requires explicit user confirmation before posting. Before enabling the skill for autonomous use, verify the agent actually shows the preview and waits for your confirmation as promised. Don't enable full autonomy unless you trust the skill and have tested it. - Token scope & rotation: Facebook Page tokens can be powerful. Use the minimum-scoped token, test on a throwaway page first, and be prepared to revoke/rotate tokens if you suspect misuse. - Dependency & runtime: ensure python3 and the 'requests' package are installed in the environment the agent will run in. Consider reviewing the code yourself or running it locally to confirm behavior before granting secrets. If you need higher assurance, request the publisher to: (1) update registry metadata to list required env vars and runtime dependencies, (2) switch to reading secrets from environment variables or a secure file rather than CLI args, and (3) provide a provenance/homepage or contact so you can validate the source. If you cannot verify the source or cannot secure the tokens, do not install or run this skill with your production Page token.
功能分析
Type: OpenClaw Skill Name: techla-fb-repost Version: 1.0.0 The skill is classified as suspicious due to a significant shell injection vulnerability. The Python scripts (`scrape_fb.py`, `generate_image.py`, `post_fb.py`) directly use `sys.argv` for arguments like URLs, image prompts, and messages. The `SKILL.md` instructs the OpenClaw agent to execute these scripts via shell commands, passing user-controlled input directly. If the agent fails to properly sanitize or quote these inputs, an attacker could inject arbitrary shell commands, leading to remote code execution. While the skill's stated purpose is benign, this design flaw creates a critical vulnerability.
能力评估
Purpose & Capability
The skill's actions (Apify scraping, Gemini image generation, Facebook Graph posting) are coherent with the description. However registry metadata declares no required credentials or dependencies while SKILL.md and the scripts clearly require APIFY_TOKEN, GEMINI_API_KEY, FB_PAGE_ID and FB_PAGE_ACCESS_TOKEN and expect Python. That mismatch between declared metadata and actual runtime requirements is an inconsistency you should be aware of.
Instruction Scope
The SKILL.md clearly limits actions to: call Apify to scrape, call a model (agent) to rewrite, call Gemini for images, and call Facebook Graph API to upload and post. It also includes a checklist requiring user confirmation before posting. No hidden external endpoints appear in the scripts. One scope concern: SKILL.md instructs the agent to 'activate whenever user provides a FB link + asks to repost' — if the agent is permitted to autonomously pick skills, this could cause the skill to be selected often. Also the instructions and scripts take secrets as command-line arguments (exposing them to process listings) instead of using env vars, which is a privacy/security concern.
Install Mechanism
There is no install spec (instruction-only + shipped scripts), which reduces install-surface risk. But the package includes Python scripts that import the third-party 'requests' library; the skill metadata did not declare a dependency or required binary (python3) or a way to install requests. That omission can cause runtime errors or lead users to manually install packages without guidance.
Credentials
The credentials requested in SKILL.md (APIFY_TOKEN, GEMINI_API_KEY, FB_PAGE_ID, FB_PAGE_ACCESS_TOKEN) are appropriate for the stated functionality. However the registry metadata lists no required env vars/primary credential — a clear mismatch. Additional concern: scripts accept credentials as CLI arguments which can be exposed via system process listings (ps). The skill also suggests storing secrets in OpenClaw secrets/env vars but does not enforce or demonstrate that; verify how you will supply tokens securely.
Persistence & Privilege
The skill does not request permanent 'always' inclusion and does not modify other skills or system-wide settings. Autonomous invocation is allowed by default on the platform, which is normal; this skill does not add unusual persistence privileges.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install techla-fb-repost
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /techla-fb-repost 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
fb-repost 1.0.0 — initial release - Supports reposting Facebook posts to a Facebook Page: scrape content, rewrite for page style, auto-generate images (Gemini), post via Graph API. - Works when user supplies any Facebook link and requests reposting/rewriting. - Requires Apify/Gemini/Facebook Page credentials (guidance and env var support included). - Step-by-step workflow: scrape post → analyze/rewrite → generate image → preview → seek confirmation → post. - Built-in error handling and user-friendly confirmation/checklist before publishing.
元数据
Slug techla-fb-repost
版本 1.0.0
许可证
累计安装 0
当前安装数 0
历史版本数 1
常见问题

Techla FB Repost 是什么?

Skill để lấy nội dung từ link bài viết Facebook, viết lại bài theo phong cách phù hợp, tạo ảnh minh họa bằng Gemini, rồi đăng lên Facebook Page qua Graph API... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 388 次。

如何安装 Techla FB Repost?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install techla-fb-repost」即可一键安装,无需额外配置。

Techla FB Repost 是免费的吗?

是的,Techla FB Repost 完全免费(开源免费),可自由下载、安装和使用。

Techla FB Repost 支持哪些平台?

Techla FB Repost 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Techla FB Repost?

由 techlaai(@techlaai)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论