Back to skill
Skillv1.0.0
ClawScan security
Instagram User Published Posts API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 12:12 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill's files, runtime instructions, and required environment access (JUST_ONE_API_TOKEN and node) are consistent with its stated purpose of calling JustOneAPI's Instagram get-user-posts endpoint.
- Guidance
- This skill appears coherent and limited to calling JustOneAPI for Instagram posts. Before installing: (1) confirm JUST_ONE_API_TOKEN is a token you control and has least-privilege; (2) be aware the helper sends the token in the URL query string (which can be logged by servers or proxies)—prefer tokens that are revocable and rotate them if needed; (3) ensure your agent runtime provides a recent Node.js with fetch support or adjust the helper; (4) verify the base URL (https://api.justoneapi.com) is expected for your use; and (5) avoid pasting the token into chat or logs as the SKILL.md advises. If you need stricter guarantees, request a version that uses an Authorization header or avoids placing secrets in query parameters.
Review Dimensions
- Purpose & Capability
- okName/description, required binary (node), required env var (JUST_ONE_API_TOKEN), and the included CLI helper all match the declared purpose of calling JustOneAPI's Instagram get-user-posts endpoint.
- Instruction Scope
- okSKILL.md and bin/run.mjs only request the username/paginationToken and the API token, instruct the agent to call the documented endpoint, and direct no unrelated file reads, system scans, or external endpoints beyond api.justoneapi.com.
- Install Mechanism
- okNo install spec; this is instruction-only plus a small helper script (bin/run.mjs). No remote downloads, package installs, or archives are performed by the skill.
- Credentials
- noteOnly JUST_ONE_API_TOKEN is required, which is appropriate. One caution: the helper sends the token as a query parameter (token=...), which may be logged by intermediaries or server logs; that is a security posture consideration but not inconsistent with the skill's purpose.
- Persistence & Privilege
- okalways is false, and the skill does not attempt to persist or modify other skills or system-wide settings. It runs when invoked and has no elevated persistence requirements.