Back to skill

Security audit

Instagram Downloader

Security checks across malware telemetry and agentic risk

Overview

This is a plausible Instagram media downloader, but it asks for and stores sensitive Instagram session access and can read browser cookies in ways that deserve careful review before installation.

Install only if you are comfortable giving the tool access to an Instagram session. Treat sessionid values like passwords, avoid one-line remote installers unless you have reviewed the script, prefer manual/local installation, do not pass secrets where shell history or logs may capture them, and remove or revoke the saved Instagram session if the config file may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (30)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares no permissions even though its documented behavior includes environment-variable access, local file read/write, network access, and likely shell/package installation behavior. This is dangerous because users and platforms cannot make an informed trust decision, and the hidden capability set includes credential handling and filesystem access.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose presents a downloader, but the skill also describes broader and more sensitive behavior: credential-based login, browser cookie extraction/decryption, persistent storage of auth material, and external installer/release automation capabilities. That mismatch is dangerous because it can mislead reviewers into approving a skill with substantially greater access to credentials, local state, and the host environment than advertised.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The documentation says password login is broken and should not be used, yet later sections still describe login/password/TOTP and challenge-handling workflows as if active. This inconsistency is dangerous because operators may enable or trust deprecated auth paths, leading to accidental credential collection, insecure fallback behavior, or misunderstanding during review.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Automatically reading and decrypting Chrome cookies to recover an Instagram session token exceeds the narrow expectations of a media downloader and accesses highly sensitive browser-stored credentials. If misused or compromised, this can enable account takeover for the logged-in Instagram session and normalizes credential harvesting behavior on the host.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The advertised behavior emphasizes sessionid, Apify, and setup wizard modes, but the implementation also supports full username/password authentication and persists authenticated session state. This expands the credential-handling scope beyond what users are led to expect, increasing the risk of collecting or storing highly sensitive account secrets in a downloader utility.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code reads Chrome's cookie database, decrypts cookies, and extracts the Instagram sessionid automatically. That is a credential-harvesting capability: a stolen session cookie can grant account access without a password, making this significantly more sensitive than ordinary media downloading.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The documentation claims the login-related flags do not work, yet the code still implements a real login path using username, password, challenge codes, and settings persistence. This mismatch can mislead reviewers and users about the true credential-handling behavior, reducing informed consent and masking risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs the agent to capture, accept, and persist sensitive authentication material such as an Instagram sessionid and Apify API token, but it does not warn about the security and privacy risks of local storage, terminal history exposure, or accidental disclosure in logs. In this context, the cookie is effectively an authentication secret, so mishandling it could enable unauthorized access to the user's Instagram session or third-party API resources.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README describes a setup flow that captures an Instagram `sessionid` and saves it to `~/.ig-downloader/config.json`, but it does not clearly warn that this cookie is a reusable authentication token equivalent to account access for many actions. Users may store it insecurely, sync it to cloud backups, or share logs/configs, enabling account takeover or unauthorized scraping if the token is exposed.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The README promotes `curl | bash` and PowerShell `iex` installation flows without a warning that they fetch and execute remote code immediately on the user's machine. If the repository, hosting path, or network path is compromised, users may execute attacker-controlled code with their local privileges.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill stores a live Instagram session cookie in a local config file without prominent security guidance or described protections. A stolen sessionid can often be reused as an authenticated bearer credential, so local disclosure through other processes, backups, or shared systems may expose the user's account.

Missing User Warnings

High
Confidence
96% confidence
Finding
The documentation describes polling the Chrome cookie database and decrypting stored cookies, but does not foreground that this accesses private browser credential material. This is dangerous because users may consent to 'setup' without realizing it effectively harvests a reusable authentication token from their browser profile.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The tool captures session cookies from Chrome or manual input and saves them to local configuration without a strong user-facing warning about the sensitivity of these tokens. Session cookies function as bearer credentials, so quiet capture and persistence materially increases the chance of accidental exposure or misuse.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The installer clones a remote Git repository when run outside the repo and later installs Python code from that source or directly from GitHub. Fetching and executing remote code during installation is inherently risky because a compromised repository, dependency, or man-in-the-middle of the trust chain can lead to arbitrary code execution on the user's machine.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script uses Invoke-Expression to build and run pip install commands, which is dangerous because expression evaluation increases the risk of command injection and unintended shell interpretation. Even if current inputs are mostly hardcoded, this pattern executes package installation commands that may fetch and run arbitrary setup/build code from remote sources.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
In standalone mode the script clones a remote repository and later installs packages from GitHub/PyPI, which results in execution of unpinned third-party code during installation. Because the script also advertises a curl-to-bash flow, users may run it without reviewing content, increasing supply-chain risk if the repo, dependency, or transport path is compromised.

Session Persistence

Medium
Category
Rogue Agent
Content
# ═══════════════════════════════════════════════════════════════

def load_config():
    """Load saved sessionid from config file."""
    if CONFIG_FILE.exists():
        try:
            return json.loads(CONFIG_FILE.read_text(encoding='utf-8'))
Confidence
95% confidence
Finding
Load saved session

External Script Fetching

Low
Category
Supply Chain
Content
| Platform | Command |
|----------|---------|
| **Linux / macOS / Git Bash** | `curl -fsSL https://raw.githubusercontent.com/cripterhack/ig-downloader-skill/main/install.sh \| bash` |
| **Windows PowerShell** | `iex (iwr -Uri https://raw.githubusercontent.com/cripterhack/ig-downloader-skill/main/install.ps1).Content` |
| **npx (Skills.sh)** ⭐ | `npx skills add cripterhack/ig-downloader-skill` |
| **From cloned repo** | `git clone https://github.com/cripterhack/ig-downloader-skill.git && cd ig-downloader-skill && ./install.sh` |
Confidence
97% confidence
Finding
curl -fsSL https://raw.githubusercontent.com/cripterhack/ig-downloader-skill/main/install.sh \| bash

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
instagrapi>=2.0.0
playwright>=1.48.0
Confidence
95% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
instagrapi>=2.0.0
playwright>=1.48.0
Confidence
95% confidence
Finding
instagrapi>=2.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
instagrapi>=2.0.0
playwright>=1.48.0
Confidence
94% confidence
Finding
playwright>=1.48.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
97% confidence
Finding
requests

Known Vulnerable Dependency: instagrapi — 1 advisory(ies): GHSA-ggxf-37hm-9wqf (instagrapi: Unsafe signup challenge path handling in instagrapi)

Low
Category
Supply Chain
Confidence
83% confidence
Finding
instagrapi

Known Vulnerable Dependency: requests==2.31.0 — 5 advisory(ies): CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi); CVE-2026-25645 (Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility func) +2 more

Medium
Category
Supply Chain
Confidence
90% confidence
Finding
requests==2.31.0

Known Vulnerable Dependency: instagrapi==2.0.0 — 1 advisory(ies): GHSA-ggxf-37hm-9wqf (instagrapi: Unsafe signup challenge path handling in instagrapi)

Low
Category
Supply Chain
Confidence
79% confidence
Finding
instagrapi==2.0.0

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.