instagram-publish
PassAudited by VirusTotal on May 8, 2026.
Overview
Type: OpenClaw Skill Name: instagram-publish Version: 1.0.0 The skill is a legitimate tool for publishing media to Instagram via the MyBrandMetrics API. The core logic in `scripts/publish_instagram.py` correctly implements media uploads, carousel handling, and status polling using the `requests` library, with no evidence of malicious intent, data exfiltration, or unauthorized command execution. The instructions in `SKILL.md` and the configuration guidance are consistent with the stated purpose and do not contain harmful prompt injections.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken invocation could publish unwanted content to a connected Instagram account.
The skill can cause a real Instagram post to be created. This matches the stated purpose, but public posting is high-impact if the wrong media, caption, or account is used.
This skill enables publishing content to Instagram via the MyBrandMetrics API.
Before running the script, confirm the account/connection ID, exact caption, media list, and whether a Reel should be shared to feed.
Anyone or any agent action with these values may be able to publish through the configured account.
These credentials and identifiers delegate authority to publish through the connected Instagram/MyBrandMetrics account.
`--api-key`: MyBrandMetrics API Key (check `TOOLS.md` for current key) - `--connection-id`: Instagram Connection ID - `--account-id`: MyBrandMetrics Account ID
Keep the API key out of shared chats/logs, verify the account IDs before posting, and rotate the key if it is accidentally exposed.
Users have less external context for verifying who maintains the skill or whether the MyBrandMetrics endpoint is the intended provider.
No automatic installer is present, but the package provenance is not identified, which matters for a skill that receives publishing credentials.
Source: unknown Homepage: none No install spec — this is an instruction-only skill.
Review the included script and verify the MyBrandMetrics API relationship before providing credentials.