ClawHub

Instagram User Published Posts API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow JustOneAPI wrapper for looking up Instagram published posts, with a real token-handling caution but no hidden or destructive behavior found.

Install only if you trust JustOneAPI and are comfortable sending a revocable JUST_ONE_API_TOKEN and requested Instagram usernames to api.justoneapi.com. Treat the token as sensitive, avoid logging command lines or URLs that include it, and rotate the token if it may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill places the API access token into the URL query string via applyQueryParams, which means the credential can be exposed in logs, browser/history equivalents, proxy telemetry, monitoring systems, referrer propagation, and error messages. Even though the base URL uses HTTPS, query-string secrets are routinely captured by infrastructure and are less safely handled than authorization headers.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The manifest requires an API access token to be sent as a query parameter to an external service, but provides no user-facing notice about credential handling or external transmission. Query-string tokens are especially sensitive because they may be logged by clients, proxies, servers, and observability systems, increasing the chance of credential leakage beyond the intended recipient.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation requires a query-string token and target username but provides no warning that API tokens and account identifiers are sensitive data. This increases the chance that integrators expose tokens in logs, URLs, browser history, telemetry, or shared debugging output, creating credential leakage and privacy risks when querying third-party account data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal