Instagram Search

Security checks across malware telemetry and agentic risk

Overview

The skill does what it says: it enables Instagram search through Xpoz, with disclosed OAuth, network, mcporter, and CSV export behavior.

Install only if you are comfortable sending Instagram search queries to Xpoz and receiving exported social-media results. Avoid bulk exporting or redistributing personal/profile data unless you have a legitimate purpose and can comply with platform terms, privacy expectations, and applicable law.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The skill explicitly promotes CSV export of Instagram search results without any guidance on handling personal data, retention, consent, or downstream sharing. Because this skill is designed for large-scale discovery of profiles, posts, and influencers, omission of privacy and data-handling safeguards can facilitate bulk collection, redistribution, or misuse of personal/social-media data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal