ClawHub

Instagram Collector

v1.0.0

Collects Instagram profile stats including followers, posts, engagement rate, posting frequency, avg likes/comments, and top hashtags via Apify scraper.

0· 257·0 current·1 all-time
byAdarsh More@adarshvmore
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md clearly depends on the Apify Instagram Profile Scraper and therefore needs an APIFY_API_TOKEN. The registry metadata lists no required environment variables or primary credential, which is inconsistent with the stated purpose and should be corrected.
Instruction Scope
Instructions describe calling the Apify actor, polling for completion, fetching dataset results, mapping fields, and extracting hashtags — all consistent with collecting Instagram metrics. The instructions do not ask for unrelated system files or other secrets. They do log errors (including the handle) which could expose user-provided handles in logs if not sanitized.
Install Mechanism
This is an instruction-only skill with no install script or code files, so nothing is written to disk during install. That minimizes install-time risk.
!
Credentials
SKILL.md explicitly requires an APIFY_API_TOKEN (sensitive credential) but the skill metadata lists zero required env vars and no primary credential. Lack of declared credential is a mismatch and should be fixed. Aside from Apify, no other credentials are requested.
Persistence & Privilege
always is false and the skill does not request persistent or system-wide privileges. Autonomous invocation is allowed (platform default) but there is no evidence the skill modifies other skill configs or requires permanent presence.
What to consider before installing
This skill looks like a legitimate Apify-based Instagram scraper, but the SKILL.md requires an APIFY_API_TOKEN while the registry metadata does not declare any required environment variables—this mismatch is the main red flag. Before installing: 1) Confirm the publisher/source (no homepage provided) and prefer a vetted source. 2) Require the author to declare APIFY_API_TOKEN in the skill metadata (so the platform can enforce secret handling). 3) Store APIFY_API_TOKEN securely (least privilege) and ensure it can be revoked. 4) Verify the implementation of apifyService.scrapeInstagramProfile (or run in a sandbox) so you know exactly what network calls and data are transmitted. 5) Ensure logs do not leak handles or tokens (sanitize error logs). 6) Be aware that each run may incur Apify costs and rate limits; test with a low-volume account first. If the publisher cannot explain or correct the missing credential declaration, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e7e1xzpmtymxx11jt3qmyx582a3cm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments