ClawHub
Back to skill
v1.0.1

Instagram Collector Adarsh

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:27 AM.

Analysis

This instruction-only skill appears benign and purpose-aligned, but it uses an Apify account token and may consume Apify quota to collect Instagram metrics.

GuidanceBefore installing, confirm you are comfortable giving the pipeline access to an Apify token and making Apify calls for Instagram handles. Monitor quota and cost, and review the surrounding Apify service code because the actual API implementation is not included in this instruction-only skill.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
Call `apifyService.scrapeInstagramProfile(handle)` which starts an Apify actor run

The skill launches an external Apify actor based on the provided handle. This is central to the stated purpose and disclosed, but users should recognize that invocation triggers an external scraping run.

User impactAn unintended or repeated invocation could scrape handles and consume Apify quota, though the artifacts do not show destructive actions or account mutation.
RecommendationUse the skill only for intended handles and consider human approval before repeated or bulk collection.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
SKILL.md
The collector depends on `apifyService.ts` for the actual API communication.

The supplied artifacts are instruction-only and the referenced implementation file is not included. This is disclosed, but the actual credential handling and HTTP behavior depend on the host pipeline or external service layer.

User impactThe installed skill's real behavior depends on surrounding pipeline code that is not part of this artifact set.
RecommendationReview the local `apifyService.ts` integration and Apify actor configuration in the environment where this skill will be used.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
- **Auth:** `APIFY_API_TOKEN` environment variable
- **Cost estimate:** ~$0.005 per run on Apify free/paid tier

The skill expects access to the user's Apify credential/account and may consume account quota or paid usage. This is disclosed and aligned with the Instagram collection purpose, but it is not reflected in the registry's required environment variables.

User impactUsing the skill may run Apify jobs under the user's account and consume quota or incur small usage costs.
RecommendationUse a limited Apify token if available, monitor Apify usage, and avoid exposing the token in chat or logs.