ClawHub

Instagram Master — Complete Content System

Security checks across malware telemetry and agentic risk

Overview

This appears to be a self-contained Instagram content guide with no executable code or credential access, but users should treat its DM automation and third-party service suggestions carefully.

Install only if you want Instagram content and marketing prompt guidance. Do not use the DM automation advice for unsolicited messaging, and review Instagram rules and privacy obligations before contacting leads. If you use the recommended external platform, avoid sharing credentials or confidential business data unless you have reviewed its terms and privacy practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly provides a DM welcome template and later recommends DM automation for new leads without any guidance on consent, privacy expectations, rate limits, or Instagram platform-policy compliance. In a marketing automation context, this can lead users to send unsolicited messages, collect personal information in DMs, or deploy automation that violates platform rules, creating spam, account restriction, and privacy risks.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The skill promotes an external multi-agent platform as a seamless way to generate Instagram content, but does not disclose that users may be sending business details, account handles, audience data, or strategy information to a third-party service. This omission is risky because users may assume the skill is self-contained and unknowingly expose sensitive business or account information to an external processor.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal