ClawHub

Instagram Hashtag Posts Search API

Security checks across malware telemetry and agentic risk

Overview

This is a focused JustOneAPI wrapper for searching Instagram hashtag posts, with disclosed token use and no hidden persistence or local data access.

Install only if you trust JustOneAPI with the hashtags you search and the token you provide. Prefer a limited-scope token if available, avoid sharing command output or URLs that may contain the token, and use the skill only for lawful, user-directed research of public content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill defines the API access token as a query parameter and automatically appends it to the request URL. Query-string credentials are commonly exposed through logs, proxies, browser/history mechanisms, monitoring systems, and error telemetry, so the token may be disclosed beyond the intended recipient. In this skill context, the code is a generic API wrapper and there is no compensating control or warning, which makes the exposure more dangerous rather than less.

Natural-Language Policy Violations

Medium
Confidence
85% confidence
Finding
The operation description explicitly promotes monitoring community discussions and public opinion on hashtags, which creates a surveillance-oriented use case without user-consent boundaries, purpose limitation, or abuse controls. In an agent ecosystem, such framing can encourage bulk social monitoring or profiling of groups around topics, making misuse more likely even though the endpoint itself is only a search API.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal