Skillv0.2.0

ClawScan security

clinstagram · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 8, 2026, 3:08 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches its stated purpose (an Instagram CLI combining Graph API and a private API) but contains implementation/metadata mismatches and a few design choices that deserve scrutiny before installation.
Guidance: What to check before installing: - Clarify the packaging/install path: SKILL.md includes a pip install, the bundle contains a full Python package, and the registry entry said 'instruction-only' — ask the publisher which you should install (the bundled source or pip) and verify the package source (PyPI project page or the GitHub repo). Avoid blindly pip-installing an unverified package. - Confirm how secrets are provided: the metadata declares CLINSTAGRAM_SECRETS_FILE as the primary credential, but the code uses OS keychain (keyring) and mentions an encrypted-file fallback. Ask where that env var is read and how the secret file is formatted. If you plan to run non-interactively (CI/agent), prefer an explicit, documented secrets-file workflow and avoid putting plaintext credentials in env vars. - Prefer conservative compliance mode: if you only need official Graph API functionality (posting, analytics, comments), run in official-only mode to avoid the private API. If you must use private features, use hybrid-safe (read-only private) rather than private-enabled. - Be cautious with autonomous agents: the skill can be invoked by agents autonomously (platform default). If you allow autonomous invocation, restrict what the agent can do (do not enable --enable-growth-actions, do not enable private-enabled mode) and ensure the agent prompts you before enabling risky flags. - Audit the remaining source files (private backend and any networking code) for any hard-coded endpoints or telemetry/exfil endpoints not belonging to Instagram/Meta. The visible code hits graph.instagram.com / graph.facebook.com and uses instagrapi for private API — that's expected. If you are not comfortable sharing production credentials, test with a throwaway Instagram account first. If you want, I can: (1) search the rest of the bundled source for references to CLINSTAGRAM_SECRETS_FILE or any unexpected remote endpoints, (2) list the exact files that reference network calls, or (3) extract the obvious places agent-automation could run commands so you can add containment policies.

Review Dimensions

Purpose & Capability: noteThe name/description (Instagram CLI, Graph + private API) matches the included code and commands. Requested artifacts (binary 'clinstagram' and a config dir env var) are appropriate. However there are inconsistencies: the registry metadata claimed 'No install spec / instruction-only' while the SKILL.md includes an install hint (pip install clinstagram) and the skill bundle contains a full Python package source tree. Also a declared primary credential env var (CLINSTAGRAM_SECRETS_FILE) is present in metadata but the visible code uses OS keychain and an encrypted-file fallback — I couldn't find a clear use of that env var in the shown files. These mismatches are explainable but should be clarified.
Instruction Scope: noteSKILL.md instructs the agent to run the clinstagram CLI and to use CLINSTAGRAM_CONFIG_DIR for config — that is within scope. It explicitly describes compliance modes and safety gates (e.g., growth actions disabled by default), and documents remediation commands to run on auth failure. One operational concern: SKILL.md tells agents to read an error 'remediation' field and execute the remediation command automatically; that gives an agent broad discretion to run login/config commands if it follows those instructions autonomously. The instructions also include interactive challenge handling (prompts) which may block non-interactive runs. No instructions were found that ask the agent to read unrelated system files or unrelated environment variables.
Install Mechanism: concernSKILL.md metadata includes an explicit pip install (pip: clinstagram) which is a standard install path. However the registry metadata summary indicated there was 'No install spec — instruction-only' despite a full source tree being bundled. That inconsistency (bundle contains full package + SKILL.md lists a pip install) is a red flag for sloppy packaging or for a mismatch between what will actually be executed by the platform and what the developer intended. Installing from PyPI via pip is normal, but confirm the package origin (PyPI project vs. the bundled source) before installing. No high-risk download-from-URL or archive-extract installs were seen.
Credentials: noteThe skill asks only for CLINSTAGRAM_CONFIG_DIR and declares CLINSTAGRAM_SECRETS_FILE as the primary credential — a small and plausible set for a CLI that needs a config directory and secrets. There are no unrelated credentials (AWS, GCP, etc.). However, the declared primary env var (CLINSTAGRAM_SECRETS_FILE) is not obviously referenced in the visible code (which prefers OS keychain and encrypted-file fallback), so the need for this particular env var should be clarified. The code also requires network access and may ask for username/password (private API) during auth — expected for the stated functionality.
Persistence & Privilege: noteThe skill does not request 'always: true' and does not attempt to change other skills' configurations. It persists sessions/secrets in OS keychain or an encrypted file (as documented), which is normal for a CLI that logs into services. One risk factor: the platform-default autonomous invocation combined with the ability to use a private Instagram session means an autonomous agent could take account-affecting actions (DMs, follow/unfollow) if it enables private-enabled mode or the --enable-growth-actions flag. The skill tries to mitigate this (growth actions disabled by default and a compliance mode system), but the combination of autonomous invocation + private API capability increases potential impact if the skill is misused or if agent prompts are followed without user confirmation.