Instagram Collector Adarsh
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only skill appears benign and purpose-aligned, but it uses an Apify account token and may consume Apify quota to collect Instagram metrics.
Before installing, confirm you are comfortable giving the pipeline access to an Apify token and making Apify calls for Instagram handles. Monitor quota and cost, and review the surrounding Apify service code because the actual API implementation is not included in this instruction-only skill.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may run Apify jobs under the user's account and consume quota or incur small usage costs.
The skill expects access to the user's Apify credential/account and may consume account quota or paid usage. This is disclosed and aligned with the Instagram collection purpose, but it is not reflected in the registry's required environment variables.
- **Auth:** `APIFY_API_TOKEN` environment variable - **Cost estimate:** ~$0.005 per run on Apify free/paid tier
Use a limited Apify token if available, monitor Apify usage, and avoid exposing the token in chat or logs.
An unintended or repeated invocation could scrape handles and consume Apify quota, though the artifacts do not show destructive actions or account mutation.
The skill launches an external Apify actor based on the provided handle. This is central to the stated purpose and disclosed, but users should recognize that invocation triggers an external scraping run.
Call `apifyService.scrapeInstagramProfile(handle)` which starts an Apify actor run
Use the skill only for intended handles and consider human approval before repeated or bulk collection.
The installed skill's real behavior depends on surrounding pipeline code that is not part of this artifact set.
The supplied artifacts are instruction-only and the referenced implementation file is not included. This is disclosed, but the actual credential handling and HTTP behavior depend on the host pipeline or external service layer.
The collector depends on `apifyService.ts` for the actual API communication.
Review the local `apifyService.ts` integration and Apify actor configuration in the environment where this skill will be used.