Instagram Skill via cyberdrk/gram CLI
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This Instagram CLI is purpose-aligned but uses live browser/session cookies and can change the user’s Instagram account, so it should be reviewed carefully before use.
Install only if you are comfortable giving this CLI access to your Instagram session. Prefer a dedicated or low-risk account, verify the npm package source, start with read-only commands, and require explicit confirmation before any like, comment, follow, unfollow, save, or unsave action.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If misused or compromised, the skill could access the user’s Instagram account through existing browser/session cookies.
The skill explicitly uses live Instagram session cookies and browser cookie sources, giving the CLI access as the logged-in user. That is high-impact credential/session access and the artifacts do not show strong boundaries around extraction, storage, or use.
`gram` uses cookie-based auth from your Instagram web session. Use `--session-id`, `--csrf-token`, and `--ds-user-id` to pass cookies directly, or `--cookie-source` for browser cookies.
Use a dedicated Instagram session or test account where possible, avoid broad browser-cookie extraction unless necessary, verify what cookies are used, and revoke the session if anything unexpected occurs.
An agent using this skill could accidentally like, comment, follow, unfollow, save, or unsave content under the user’s Instagram account.
The documented commands can mutate the Instagram account and create public or socially visible activity. The skill does not document confirmation requirements or other guardrails before these actions.
gram comment <shortcode> "nice!" # Comment on a post gram follow <username> # Follow a user gram unfollow <username> # Unfollow a user
Treat the skill as read-only unless the user explicitly requests an engagement action, and require confirmation of the exact target and comment text before running mutating commands.
The user must trust the external npm package with Instagram session access; static scanning of this skill did not inspect that package code.
The skill depends on an external npm package to provide the CLI. The reviewed artifacts contain only SKILL.md and no package source code, while the package will handle browser/session cookies.
node | package: @cyberdrk/gram | creates binaries: gram
Inspect or pin the npm package version before installation, verify the package provenance, and avoid exposing valuable account cookies to unreviewed code.