Back to skill
Skillv1.0.1
ClawScan security
Instagram Reel Downloader (WhatsApp) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 19, 2026, 6:14 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and optional env vars are consistent with its stated purpose (automating a headless browser to download an Instagram reel via sssinstagram.com and save it for WhatsApp); nothing requests unrelated credentials or installs unexpected tooling.
- Guidance
- This skill behaves as described: it runs a headless browser (Playwright) to use sssinstagram.com and downloads the video file to a downloads folder. Before installing, ensure you have Node 18+, playwright-core installed in the runtime, and a Chromium-compatible binary available (set BROWSER_EXECUTABLE_PATH if the default path is wrong). Be aware the skill contacts a third-party downloader site (sssinstagram.com) and downloads media from URLs that site returns — if that site is compromised or malicious it could cause you to fetch unexpected content. The skill does not request secrets, but it will write files to the workspace; consider running it in an isolated environment and periodically running the provided cleanup script. If you don't want the agent to run this autonomously, disable or restrict autonomous invocation on the platform side.
Review Dimensions
- Purpose & Capability
- okName/description match the included files: the Node script uses Playwright to open sssinstagram.com, submit an Instagram reel URL, and save a video file. Required runtime pieces (Node 18+, playwright-core, Chromium-compatible binary) are reasonable and documented in SKILL.md.
- Instruction Scope
- noteRuntime instructions and script are narrowly scoped to validating an Instagram reel URL, visiting sssinstagram.com, locating download links/buttons, and saving a video to a downloads folder. Note: the script performs network requests to sssinstagram.com and then downloads whichever hrefs that site exposes (CDNs or direct video links). This is expected for the task but means the skill will fetch content from third-party hosts returned by the downloader site.
- Install Mechanism
- okNo install spec bundled; the skill is instruction + code only. It relies on runtime presence of Node, playwright-core, and a browser binary. There are no embedded downloads, URL installs, or extraction of remote archives in the skill bundle itself.
- Credentials
- okNo sensitive credentials requested. Only optional env vars (OPENCLAW_WORKSPACE, REEL_DOWNLOAD_DIR, BROWSER_EXECUTABLE_PATH) are used and are proportional to file placement and browser selection.
- Persistence & Privilege
- okalways is false and the skill doesn't modify other skills or system-wide configs. It writes downloaded media to a workspace downloads directory (configurable) and provides a cleanup script. Autonomous invocation is enabled by default (platform default) but not excessive here.