Security audit

Instagram Hashtag Posts

Security checks across malware telemetry and agentic risk

Overview

This Instagram scraping skill is purpose-related, but it uses authenticated backend request replay and rate-limit evasion guidance that users should review before installing.

Install only if you are comfortable with an agent using your logged-in Instagram browser session to make backend GraphQL requests, not just reading visible page content. Avoid using the batch guidance for stealth sessions or throughput scaling, and treat the skill as Review-worthy until its documentation clearly discloses token/session use and removes rate-limit evasion advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill claims it only reads data already shown on screen, but it actually directs replay of Instagram GraphQL backend requests using the user's authenticated browser context. This is deceptive about the true data-access method and materially expands capability from UI observation to direct API extraction, which can violate user expectations, platform terms, and internal safety boundaries.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The documentation says the skill does not bypass authentication or access controls, yet it uses session cookies and CSRF tokens to issue direct authenticated GraphQL calls. Even if it reuses the user's valid session, this is still privileged backend interaction and not merely reading on-screen content, so the description obscures security-sensitive behavior. The mismatch makes the skill more dangerous because reviewers may approve it under false assumptions about capability and risk.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The recommendation to increase throughput via multiple stealth browser sessions with independent fingerprints is a classic anti-detection and rate-limit evasion pattern. That guidance is not necessary for normal hashtag lookup and suggests deliberate scaling of scraping beyond ordinary user behavior, increasing abuse potential and policy risk.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill instructs reading and potentially appending to a local memory file without clear up-front disclosure that local files may be modified. Undisclosed persistence can surprise users, leak operational details across tasks, and create a covert state channel that influences future runs without transparent consent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script explicitly reads the browser's Instagram CSRF token from document.cookie and attempts to extract additional request tokens from page scripts, then uses them to perform an authenticated GraphQL request. Even though the request is sent to Instagram rather than an attacker-controlled host, it leverages the user's authenticated session without clear disclosure or consent, enabling access to account-scoped data and normalizing credentialed scraping behavior.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.