Instagram Reel Downloader (WhatsApp)

Security checks across malware telemetry and agentic risk

Overview

The skill does what it says: it downloads a user-provided Instagram Reel through sssinstagram.com and saves a local video file for WhatsApp.

Install only if you are comfortable sharing Reel URLs with sssinstagram.com and running local browser automation. Keep BROWSER_EXECUTABLE_PATH pointed at a trusted browser binary, avoid broad or sensitive REEL_DOWNLOAD_DIR locations, and clean up downloaded videos when no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script sends a user-provided Instagram Reel URL to sssinstagram.com, a third-party service, with no disclosure or consent mechanism. That leaks user activity and potentially sensitive target URLs to an external site outside the user’s expected trust boundary, which is especially relevant because the skill is explicitly designed to bypass preferred first-party/local tooling.

Missing User Warnings

Low

Confidence: 83% confidence
Finding: The script persists downloaded media to disk in a workspace or environment-controlled directory without user-facing notice. While writing output files is expected for a downloader, lack of disclosure can still create privacy and retention issues if users do not realize copies remain on disk after transfer or processing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal