ClawHub

clinstagram

Security checks across malware telemetry and agentic risk

Overview

This Instagram automation skill is not clearly malicious, but it can use private-account credentials and perform live posts, DMs, story posts, follows, likes, and comment deletion, so it belongs in Review.

Install only if you are comfortable giving an agent live Instagram authority. Prefer official-only or hybrid-safe mode, use dry-run first, avoid private API login unless necessary, use a trusted proxy only, and require explicit user approval before sending DMs, publishing, deleting comments, or enabling growth actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The design creates a policy inconsistency: `hybrid-safe` is described as allowing private API use only for read-only features, yet elsewhere it contemplates routing write-capable actions such as DM sends and story posting through the private backend. In an agent setting, ambiguous policy boundaries are dangerous because they can cause operators to believe they are in a low-risk mode while the tool still performs account-risking or non-compliant actions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly promotes private-API login using username, email, or phone, but does not place a clear warning nearby about handling highly sensitive credentials, account risk, privacy implications, or third-party/private-API trust boundaries. In an agent-oriented CLI, this is dangerous because users or agents may automate credential submission to a non-official backend without informed consent, increasing the chance of credential misuse, account compromise, or unsafe storage/forwarding.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README includes ready-to-run commands for sending DMs, posting stories, replying to comments, and publishing media without adjacent warnings that these actions affect external accounts and may send messages or content to real users. In an AI-agent context, omission of such warnings raises the risk of unintended outbound actions, spam, privacy incidents, and unauthorized engagement if an agent executes examples literally.

Natural-Language Policy Violations

Low
Confidence
75% confidence
Finding
Auto-detecting login locale from the user's system without an explicit opt-in or override can disclose environmental metadata and influence authentication behavior in ways the user may not expect. While lower severity than direct credential issues, it still weakens user control and transparency around what contextual data is being used during login.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The manifest description is very broad ('full Instagram CLI' covering posting, DMs, stories, followers, likes, comments) without clear trigger constraints, approval boundaries, or task scoping. In an agent setting, this increases the chance of overbroad invocation for sensitive social-media actions, including messaging and account-modifying behavior, beyond what a user explicitly intended.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The authentication section references private API login using username/password/2FA and promotes a 'private-enabled' mode, but the skill description does not give a prominent warning about handling account credentials, session tokens, private-account access, or potential policy/compliance risk. This is dangerous because agents or users may supply highly sensitive credentials without understanding that unofficial/private API access can expose accounts to takeover, suspension, or misuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The media staging design uploads local files to temporary public URLs so the Graph API can consume them, but the document does not require explicit user consent, visibility warnings, or strict access controls. That can expose private images/videos to unintended third parties, crawlers, or misconfigured buckets during the staging window, which is especially sensitive for agent-driven automation handling local files automatically.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The design states that all API calls are logged for debugging, but it does not bound what data is recorded or warn that DMs, captions, usernames, tokens, or metadata might end up in logs. In a multi-agent or shared-host environment, verbose audit logs can become a secondary disclosure channel for private conversations, account activity, and authentication material.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The plan explicitly introduces private-API login using username/password/2FA without a prominent warning about credential-handling, privacy, account-lockout, and terms-of-service risk. In a security-sensitive automation skill, normalizing credential collection without explicit safeguards increases the chance that users or agents will store, transmit, or use highly sensitive account secrets unsafely.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
This code allows arbitrary proxy configuration for a private Instagram login flow while also auto-populating locale, country, timezone, device fingerprint, credentials, and potentially TOTP-backed authentication. If a user supplies an untrusted proxy, highly sensitive account and device-context data can be intercepted or logged, which is especially risky in a private-enabled skill designed to emulate mobile clients and avoid detection.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The `delete` command triggers `comments_delete(comment_id)` immediately with no confirmation prompt, dry-run mode, or explicit safety flag. In a CLI that manages live Instagram interactions, this increases the chance of accidental destructive actions from operator error, scripting mistakes, or misuse of copied IDs, leading to irreversible comment removal.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal