ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Instagram Skill via cyberdrk/gram CLI

v1.0.0

Instagram CLI for viewing feeds, posts, profiles, and engagement via cookies.

5· 3k·7 current·7 all-time
by@arein
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binary ('gram'), and the install spec for @cyberdrk/gram align with an Instagram CLI that authenticates with cookies and performs read and engagement actions.
!
Instruction Scope
Instructions explicitly describe extracting cookies from browser profiles or accepting sessionid/csrf/ds_user_id tokens. Reading browser profile dirs or cookie DBs can expose other site cookies if misused; the skill also supports actions (like, comment, follow) which can modify the user's account. These behaviors are coherent with the stated purpose but are sensitive and should be handled carefully.
Install Mechanism
Install is an npm package (@cyberdrk/gram) which is a typical distribution method for CLIs. Npm packages are moderate risk compared to pre-vetted system packages — verify publisher/release and review package before global install.
Credentials
No required environment variables or unrelated credentials are declared. The skill expects cookie/session tokens or access to browser cookie stores — that is proportionate to Instagram access but is high-sensitivity data.
!
Persistence & Privilege
always:false (good). However, the skill can perform account-changing actions (like/comment/follow). If the agent is allowed to invoke the skill autonomously, it could perform those actions on your behalf — consider restricting autonomous invocation or requiring explicit user confirmation for engagement commands.
Assessment
This skill appears to do what it says (an Instagram CLI using cookies) but it requires sensitive access: you must provide Instagram session cookies or point it at browser profile cookie DBs. Before installing or using it: 1) Verify the npm package and maintainer (review the GitHub repo and npm page) instead of blindly trusting the package name. 2) Prefer supplying cookies/tokens manually (via --session-id, --csrf-token, --ds-user-id) rather than giving the tool a browser profile directory so it cannot read unrelated cookies. 3) If you do allow cookie extraction, limit the path you give it and run it in a safe environment; browser cookie DBs may contain other sites' credentials. 4) Be cautious with engagement commands (like/comment/follow) — consider using the tool read-only or requiring confirmation before any action that changes your account. 5) Avoid global installs on sensitive machines; consider containerizing or running in a throwaway environment. 6) If you enable agent/autonomous invocation, restrict or monitor it to prevent unexpected actions on your account. If you want more assurance, ask for the exact npm package version, a link to its release tarball, or a short audit of the package source before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f7f7rmnerf88qss0dn78rzn7zxdxs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📸 Clawdis
Binsgram

Install

Install gram (npm)
Bins: gram
npm i -g @cyberdrk/gram

Comments