Back to skill

Security audit

Instagram Downloader

Security checks across malware telemetry and agentic risk

Overview

This Instagram downloader has a plausible purpose, but it asks for sensitive Instagram session access and can read browser cookies in ways users should review carefully.

Install only if you are comfortable giving the tool access to your Instagram session. Treat the sessionid like a password, avoid passing it on a command line or in shared logs, prefer manual token entry over Chrome cookie extraction, review the installer targets before running it, and consider using a separate low-privilege Instagram account.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (34)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises significant capabilities including environment access, file read/write, network use, and shell-like installation behavior, yet declares no permissions. This weakens user consent and agent governance because operators cannot accurately assess what the skill may access or modify before enabling it.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented behavior goes beyond simple media downloading and includes credential handling, browser cookie extraction/decryption, local installation, and repository/release automation. This mismatch is dangerous because users may consent to a downloader while unknowingly granting a tool the ability to access sensitive authentication material and modify the local environment.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The installer is documented to detect AI agents and copy skill files into multiple agent-specific directories, which expands persistence and execution surface beyond a simple media downloader. In an agent-skill context, automatic propagation into agent trust paths is more dangerous because it can silently influence future agent behavior across sessions and tools.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
Conflicting documentation around broken login support can cause users or agents to invoke deprecated username/password and 2FA flows anyway. In a credential-sensitive tool, ambiguity increases the chance of unnecessary credential collection, failed auth attempts, account lockouts, or insecure workarounds.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill description says no password sharing is required, yet the code still supports username/password login and persists authenticated session settings to disk. This creates an undisclosed credential-handling path that increases the risk of accidental credential capture, misuse, or storage exposure.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The code silently extracts Instagram session cookies from local Chrome profiles as a fallback authentication source, but this behavior is not disclosed in the skill metadata. Harvesting browser authentication material without explicit, informed consent is highly sensitive because it bypasses normal login prompts and accesses a live authenticated session.

Context-Inappropriate Capability

High
Confidence
100% confidence
Finding
This code reads Chrome's Local State, decrypts the browser key via DPAPI, copies the Cookies SQLite database, and attempts to recover the Instagram session cookie. That is a credential-harvesting capability, and in the context of a downloader it is broader and more invasive than necessary for the stated function.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The documentation claims the login-related flags do not work, but the code still implements and invokes full login behavior. This mismatch is dangerous because users and reviewers may incorrectly assume credential paths are inactive when they are actually present and can store authenticated state.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill instructs the agent to extract an Instagram `sessionid` from a browser session and save it locally, but it does not clearly warn that this cookie is an authentication secret equivalent to account access. Storing such a token in `~/.ig-downloader/config.json` without explicit consent, secure storage guidance, or file permission requirements increases the risk of credential theft and unintended account compromise on multi-user or compromised systems.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README describes saving an Instagram session cookie locally but omits a clear warning that possession of that cookie may allow anyone to impersonate the user session. In this skill's context, the sessionid is effectively a bearer token for account access, so weak guidance materially increases the risk of account compromise.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to pass the sessionid via command line and environment variables without warning that these channels may leak into shell history, process listings, CI logs, screenshots, or shared terminal recordings. Because the token can grant account access, this omission creates a practical credential exposure risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Persistently storing an Instagram session cookie in a local config file creates a reusable bearer credential on disk. If that file is read by another local process, malware, backup system, or another user account, the attacker may hijack the Instagram session without needing the password or 2FA.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Automatically extracting and decrypting Chrome cookies accesses highly sensitive browser credential material. Even if intended to simplify setup, this behavior resembles credential harvesting and can expose authentication tokens from the local profile with limited user understanding of the privacy and security implications.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The interactive setup can automatically obtain a sessionid and save it to a local config file without a clear warning about the sensitivity of that token or how it will be stored. Session cookies are equivalent to authenticated access and should be treated like credentials.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The code accesses and decrypts sensitive browser cookies without explicit disclosure at the point of use. Even if the goal is convenience, reading browser credential material without clear notice violates user expectations and materially increases security risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The installer automatically clones a GitHub repository and later installs Python packages from PyPI and/or directly from GitHub, which causes retrieval and execution of remote code during installation. While this is common installer behavior, doing so without a clear upfront warning or integrity verification increases supply-chain risk if the repo, dependencies, or network path are compromised.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The script writes SKILL.md and related files into agent configuration directories under the user's profile or project tree, modifying local agent behavior without a prominent advance notice. In the context of AI agent skills, altering these directories can affect future agent sessions and trust boundaries, so silent configuration changes are security-relevant even if the content appears intended.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installer clones a remote GitHub repository and performs pip installs from that repository, which results in executing untrusted code during installation. Because the source is floating on the main branch and not pinned to a reviewed commit, a repository compromise or malicious update could lead to arbitrary code execution and persistent system changes on the user's machine.

Session Persistence

Medium
Category
Rogue Agent
Content
# ═══════════════════════════════════════════════════════════════

def load_config():
    """Load saved sessionid from config file."""
    if CONFIG_FILE.exists():
        try:
            return json.loads(CONFIG_FILE.read_text(encoding='utf-8'))
Confidence
90% confidence
Finding
Load saved session

External Script Fetching

Low
Category
Supply Chain
Content
| Platform | Command |
|----------|---------|
| **Linux / macOS / Git Bash** | `curl -fsSL https://raw.githubusercontent.com/cripterhack/ig-downloader-skill/main/install.sh \| bash` |
| **Windows PowerShell** | `iex (iwr -Uri https://raw.githubusercontent.com/cripterhack/ig-downloader-skill/main/install.ps1).Content` |
| **npx (Skills.sh)** ⭐ | `npx skills add cripterhack/ig-downloader-skill` |
| **From cloned repo** | `git clone https://github.com/cripterhack/ig-downloader-skill.git && cd ig-downloader-skill && ./install.sh` |
Confidence
88% confidence
Finding
curl -fsSL https://raw.githubusercontent.com/cripterhack/ig-downloader-skill/main/install.sh \| bash

External Script Fetching

Low
Category
Supply Chain
Content
#   ./install.sh --agent all
#
#   # One-liner (auto-downloads repo)
#   curl -fsSL https://raw.githubusercontent.com/cripterhack/ig-downloader-skill/main/install.sh | bash
#
#   # Via npx (if skills.sh registry is enabled)
#   npx skills add cripterhack/ig-downloader-skill
Confidence
92% confidence
Finding
curl -fsSL https://raw.githubusercontent.com/cripterhack/ig-downloader-skill/main/install.sh | bash

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
instagrapi>=2.0.0
playwright>=1.48.0
Confidence
96% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
instagrapi>=2.0.0
playwright>=1.48.0
Confidence
96% confidence
Finding
instagrapi>=2.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
instagrapi>=2.0.0
playwright>=1.48.0
Confidence
95% confidence
Finding
playwright>=1.48.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
95% confidence
Finding
requests

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.