Back to skill

Security audit

Instagram Skill via cyberdrk/gram CLI

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Instagram CLI skill, but it handles live Instagram session cookies and can perform account actions, so users should treat it carefully.

Install only if you trust the gram npm package with your Instagram session. Treat Instagram cookies and browser profiles like passwords, avoid putting tokens in shared configs, logs, screenshots, or shell history, and only run engagement commands when you intend to change your account state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly instructs users to supply highly sensitive Instagram session cookies (`sessionid`, `csrftoken`, `ds_user_id`) and browser cookie sources, but provides no warning that these values effectively authenticate the account and must be handled like passwords. In an agent/skill context, encouraging direct credential passing and browser-cookie extraction increases the chance of accidental disclosure, logging, or misuse by downstream tooling.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.