Back to skill
Skillv1.0.0
ClawScan security
Instagram Post Details API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 12:12 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it only requires a JustOneAPI token and node to call a documented Instagram post-details endpoint and its files/instructions match that purpose.
- Guidance
- This skill appears to do exactly what it says. Before installing: ensure you trust JustOneAPI and are okay with the token being sent as a query parameter (the script appends ?token=... to the request), which may be logged by servers or proxies — prefer a limited-scope or rotateable API token. Do not paste your JUST_ONE_API_TOKEN into chat or logs; instead store it in the agent's secret manager. Verify your Node runtime supports fetch (Node 18+ or a fetch polyfill). If you prefer, you can review or modify bin/run.mjs to send the token in an Authorization header instead of a query param.
Review Dimensions
- Purpose & Capability
- okName/description request GET /api/instagram/get-post-detail/v1 and the skill requires JUST_ONE_API_TOKEN and node — both are appropriate and expected for a small API wrapper that calls JustOneAPI.
- Instruction Scope
- okSKILL.md and bin/run.mjs only instruct/implement constructing an HTTP GET to the documented endpoint with parameters 'token' and 'code'; they do not read unrelated files, other env vars, or send data to unexpected endpoints.
- Install Mechanism
- okThere is no install spec (instruction-only plus a small bundled run.mjs). No downloads or external installers are used; the included script is plain and readable.
- Credentials
- okThe only required environment variable is JUST_ONE_API_TOKEN (declared as the primary credential) which matches the API's expected authentication. No unrelated secrets or config paths are requested.
- Persistence & Privilege
- okSkill does not request always:true, does not modify system/other-skill configs, and has normal autonomous-invocation settings; its privilege/persistence level is minimal and appropriate.