Instagram Reels

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward guide for downloading and transcribing reels, with real privacy and cookie-handling cautions but no hidden, destructive, or deceptive behavior found.

Install only if you are comfortable sending reel audio to Groq for transcription. Do not process private, copyrighted, or sensitive media unless you are authorized to share it with that service. Avoid using Instagram cookies unless necessary; if you do, treat the cookie file like a login token, keep it local, never share or commit it, and delete it after use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill sends downloaded audio to Groq's transcription API, but the description and workflow do not clearly warn users that reel content is uploaded to a third-party service. This can lead to unintentional disclosure of private, copyrighted, or sensitive media content, especially when users assume processing is local.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The instructions tell users to export and pass browser cookies for private reels without warning that cookies are authentication credentials equivalent to session tokens. Mishandling these files can expose user accounts, enable account takeover, or leak access to private content.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal