ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Instagram Poster

v1.0.0

Post images to Instagram automatically via Telegram. Generates images with WaveSpeed or uses your own. Bypasses Instagram bot detection using residential pro...

0· 1.5k·3 current·4 all-time
byIlya@al1enjesus
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (Instagram autoposter) match the declared requirements: IG_USERNAME/IG_PASSWORD, dependency on human-browser (residential proxy). The included scripts and README show code paths needed to log in and post images; these requirements are proportionate to the stated purpose.
Instruction Scope
SKILL.md and scripts instruct the agent to download images (HTTP/HTTPS), launch the human-browser skill, log in, and interact with Instagram UI. This stays within the posting scope, but the skill will download arbitrary URLs (user-supplied) and will read/write a session file (~/.openclaw/ig-session.json). If an agent or user supplies an internal URL, the skill could retrieve and upload that content — expected for a poster but worth noting.
Install Mechanism
No install spec (instruction-only with shipped script) — lowest install risk. The code requires the human-browser skill to exist at a relative path; that dependency is declared. Nothing is downloaded from arbitrary URLs during install.
Credentials
Only IG_USERNAME and IG_PASSWORD are required (plus optional IG_SESSION_PATH), which is appropriate for logging in. The skill saves session cookies locally; environment variables or config entries could store credentials in plaintext — a user-consent/secret-management consideration but proportionate to purpose.
Persistence & Privilege
always:false (normal). The skill saves session cookies to ~/.openclaw/ig-session.json so subsequent runs avoid re-login — expected for convenience. This is a persistent file in the user's home directory but does not modify other skills or system-wide settings.
Assessment
This skill appears coherent for automating Instagram posts, but review these before installing: - Trust the human-browser service: it provides the residential proxy and fingerprinting; the skill relies on that external provider to bypass bot detection. - Protect your Instagram credentials: the skill requires IG_USERNAME/IG_PASSWORD and may be stored in your OpenClaw config or environment; prefer using a saved session file if you want to avoid putting passwords in config. Rotate credentials if you stop using the skill. - Be careful with image URLs: the script will download any user-supplied HTTPS URL. Do not instruct the agent to fetch internal or sensitive URLs that you don't want posted to Instagram. - Verify the human-browser dependency path: the script requires a local human-browser skill entry (relative path). Ensure that dependency is the official one you intend to use. - Because the code sample was truncated in the listing, consider reviewing the full scripts/post.js file in your environment before trusting it with credentials; if you need higher assurance, run it in an isolated environment or inspect the human-browser integration points.

Like a lobster shell, security has layers — review code before you run it.

latestvk9773pwm93kpr75kteh6smw1m181mwed

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📸 Clawdis
OSLinux · macOS · Windows
EnvIG_USERNAME, IG_PASSWORD

Comments