首页 / 技能 / insta-post — 自动发IG图文

📦 insta-post — 自动发IG图文

v1.0.1

通过浏览器自动化将图片一键上传至 Instagram,完成发帖、排程与内容发布全流程,无需手动打开 App。

0· 713·3 当前·3 累计
mupengi-bot 头像by @mupengi-bot
自动化浏览器自动化
下载技能包
最后更新
2026/4/23
0
安全扫描
VirusTotal
可疑
查看报告
OpenClaw
可疑
medium confidence
NULL
评估建议
What to consider before installing/using: - Functionality: The script automates an Instagram post by connecting to your local OpenClaw browser CDP (default 127.0.0.1:18800). It will act as the currently logged-in browser user — if that session is logged into your Instagram account it can publish on your behalf. - Inconsistencies: SKILL.md shows a Quick Upload command calling 'scripts/post.sh' but the package contains scripts/post.js. The README/installation does not list required npm packages (p...
详细分析 ▾
用途与能力
The name/description claim browser-based Instagram uploads, and the included script (scripts/post.js) implements that by connecting to a local CDP (default 127.0.0.1:18800) and driving Instagram UI — this is coherent. However, the SKILL.md references OpenClaw browser tool commands and a Quick Upload command that calls node on 'scripts/post.sh' (a mismatched filename/extension). Also no declared Node/npm dependencies are listed even though the script requires puppeteer-core and commander. These inconsistencies reduce confidence in the package hygiene.
指令范围
SKILL.md instructs using the OpenClaw browser snapshot/upload tooling and workspace TOOLS.md for collaborators; the script instead uses puppeteer-core to connect to the local CDP and performs DOM clicks/uploads. The instructions do not ask for unrelated files or secrets, but they do require and will use a logged-in browser session (i.e., it acts with whatever account is logged in). The mismatched command (post.sh vs post.js) and mixed guidance vs implementation grant broad discretion to the agent/operator and may cause accidental actions if UI selectors click unexpected elements.
安装机制
No install spec is provided (instruction-only style), and the repository includes a runnable Node script. The script depends on npm packages (puppeteer-core, commander) but the skill does not declare or install them; users must install dependencies themselves. This is not inherently malicious but is fragile and increases risk of misconfiguration or running outdated/unreviewed dependencies.
凭证需求
The skill requests no credentials or sensitive environment variables. It optionally reads BROWSER_PORT from env (default 18800). It does require local filesystem access to image files and access to a local browser debugging endpoint — both are appropriate for the stated purpose. Note: because it drives whatever browser session is active, it effectively uses the user's Instagram authentication present in that browser tab.
持久化与权限
always is false and there is no install-time persistence or modification of other skills or system-wide configs. The skill does run actions within a logged-in browser session, which is expected for a posting tool, but it does not request elevated or persistent platform privileges.
安全有层次,运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv1.0.12026/2/15

NULL

可疑

安装命令

点击复制
官方npx clawhub@latest install insta-post
镜像加速npx clawhub@latest install insta-post --registry https://cn.longxiaskill.com
数据来源ClawHub ↗ · 中文优化:龙虾技能库