ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Insta Content Engine

v1.0.0

Find trending topics, create editorial-style social media graphics, and post to X/Twitter and Instagram. Includes image generation with photographic backgrou...

0· 40·0 current·0 all-time
bykash@ashmonmc·duplicate of @ashmonmc/viral-content-engine
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The files and SKILL.md implement the stated functionality (viral search, image generation via OpenAI, and Instagram posting). However the registry metadata declares no required env vars or credentials while the SKILL.md and scripts clearly require OPENAI_API_KEY, BRAVE_API_KEY, and IG_USERNAME/IG_PASSWORD — this mismatch is unexpected and incoherent with the published metadata.
!
Instruction Scope
Runtime instructions and code are explicit about network calls to OpenAI and Brave Search and about using the bird CLI and instagrapi. Concerns: (1) instagram-search.js will try to read ~/.openclaw/clawdbot.json to extract an API key (accesses a potentially broad local config), (2) instagram-post.js constructs a Python script embedding username/password and executes it via python -c which can expose credentials on the process command line, and (3) scripts create and read a session file at ~/.openclaw/ig_session.json (persistent tokens). These behaviors go beyond simple 'search and post' and have privacy/credential exposure implications.
Install Mechanism
No install spec and all code is shipped in the skill bundle (instruction-only install). No external archives or unknown download URLs are used. Required runtimes (node, python, pip packages, bird CLI) are standard for the task.
!
Credentials
The credentials requested by the code (OpenAI key for image generation, Brave search key for Instagram scraping, and Instagram username/password for posting) are proportionate to the functionality. However the skill registry advertises no required env vars, so the runtime expectation is not declared to users. Also reading ~/.openclaw/clawdbot.json can surface unrelated credentials from a user's OpenClaw config.
Persistence & Privilege
The skill stores Instagram session data under ~/.openclaw/ig_session.json so the login can be reused. This is expected for a posting tool, but it creates persistent tokens on disk that should be protected. The skill is not force-installed (always: false) and does not modify other skills, but it does access a shared OpenClaw config path which could overlap with other tooling.
What to consider before installing
This skill implements searching, image generation (OpenAI), and Instagram posting, but before installing you should: (1) expect to provide OPENAI_API_KEY, BRAVE_API_KEY, and IG_USERNAME/IG_PASSWORD — the published metadata does not declare these, so be cautious, (2) review and, if needed, sanitize ~/.openclaw/clawdbot.json because the script reads it for keys, (3) avoid running with your main Instagram account credentials — consider a throwaway/test account, (4) be aware instagram-post.js embeds credentials into a Python command string which can expose them in process listings while running, (5) note the skill will persist session tokens to ~/.openclaw/ig_session.json — protect or remove that file if you stop using the skill, and (6) inspect the code yourself or run it in an isolated environment (container or VM) if you plan to use real credentials. If you want to proceed safely, ask the author to update the registry metadata to list required env vars and to change the posting flow to avoid embedding credentials on the command line (e.g., pass via stdin or use a secure session flow).
scripts/instagram-post.js:120
Shell command execution detected (child_process).
scripts/viral-search.js:68
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

carouselvk97ed27wsvspajk9czp0nxx7yx83sa80content-creationvk97ed27wsvspajk9czp0nxx7yx83sa80image-generationvk97ed27wsvspajk9czp0nxx7yx83sa80instagramvk97ed27wsvspajk9czp0nxx7yx83sa80latestvk97ed27wsvspajk9czp0nxx7yx83sa80openaivk97ed27wsvspajk9czp0nxx7yx83sa80twittervk97ed27wsvspajk9czp0nxx7yx83sa80viral-searchvk97ed27wsvspajk9czp0nxx7yx83sa80

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments