Instagram Collector
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is a coherent Instagram metrics collector using Apify, with disclosed external API use and a token requirement, but users should notice the metadata does not declare that credential and no implementation files are included.
This appears safe for its stated purpose if you intend to use Apify to collect public Instagram profile metrics. Before installing, make sure you are comfortable providing an Apify API token, possible Apify usage charges, and sending requested Instagram handles to Apify; if additional implementation files are later supplied, review them separately.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may consume Apify account quota or create small charges tied to the user's token.
The skill requires an Apify account token and may incur usage costs. This is expected for an Apify-based scraper, but users should know their Apify credential and quota are being used.
- **Auth:** `APIFY_API_TOKEN` environment variable - **Cost estimate:** ~$0.005 per run on Apify free/paid tier
Use a dedicated Apify token with the minimum needed permissions and monitor Apify usage or spending limits.
The reviewed artifact describes intended behavior, but the actual API-calling implementation would need separate review if supplied elsewhere.
The artifact set contains only SKILL.md, while the instructions reference external implementation files not included here. This is not suspicious by itself for an instruction-only skill, but it limits what can be verified from the provided package.
- The collector depends on `apifyService.ts` for the actual API communication.
Before relying on this in production, review the referenced service code to confirm it only sends the intended Instagram handle to Apify and handles the token safely.
Each use sends the target Instagram handle to Apify and relies on Apify's scraper output, availability, caching, and rate limits.
The skill starts an external Apify scraper run based on a provided Instagram handle. This is central to the stated purpose and is disclosed, but it is still an external tool invocation users should expect.
Call `apifyService.scrapeInstagramProfile(handle)` which starts an Apify actor run
Only provide handles that are appropriate to process through Apify, and ensure the user understands the external service dependency.