ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

instagram-saver

v1.0.0

當使用者貼上 Instagram 連結時,自動下載該貼文的所有高解析度圖片與影片。使用 Cobalt API 進行解析,支援多圖貼文,若為私人帳號會自動回報。

0· 730·1 current·1 all-time
byBIS1205@kenleung1205
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The description claims 'automatically download all high‑res images/videos' and 'auto‑report private accounts', but SKILL.md only shows a single curl POST to https://api.cobalt.tools/api/json to obtain data. There are no steps to download or save media, handle multi‑image posts, or implement any 'report' action. The claimed capabilities are not delivered by the instructions.
!
Instruction Scope
Instructions require sending the user-supplied Instagram URL to a third‑party service (cobalt.tools). They do not specify how to parse the returned JSON, how/where to download media, or what 'reporting' entails. This leaves broad agent discretion and potential unintended data exfiltration to the external API.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk by the skill itself. This is low install risk.
Credentials
The skill requests no credentials or env vars, which is proportionate. However, it mandates an outbound network call that sends user-supplied URLs (and possibly identifying information) to a third party (cobalt.tools), which has privacy implications even though no secrets are requested.
Persistence & Privilege
The skill does not request always: true and is user‑invocable only. It does not attempt to alter other skills or system configs.
What to consider before installing
Do not install or enable this skill unless you are comfortable with a third party (https://api.cobalt.tools) receiving every Instagram URL the agent processes. Ask the author for: (1) exact steps that download and store the media (where files are saved, naming, cleanup), (2) the precise behavior for 'reporting' private accounts (what is reported, to whom, and under what authorization), (3) example responses from the Cobalt API and how the skill parses them, and (4) provenance or a homepage/source code so you can audit it. If you must test, run in an isolated environment and avoid sending URLs that contain private or sensitive context; prefer a solution that downloads media locally or uses an official API with explicit credentials and consent.

Like a lobster shell, security has layers — review code before you run it.

latestvk9705k2ejft1zh41j10qjra9f581hh0g
730downloads
0stars
1versions
Updated 7h ago
v1.0.0
MIT-0
BIS1205@kenleung1205
latest
Download

Instagram Saver

當偵測到 Instagram 連結時,使用 Cobalt API 解析並下載內容。

Workflow

Step 1 — 準備 API 請求 (Prepare Request)

當使用者提供 Instagram 網址(url)時,請準備執行 curl 指令。我們將使用 Cobalt API 來獲取真實的媒體下載連結。

API Endpoint: https://api.cobalt.tools/api/json Header: Content-Type: application/json Header: Accept: application/json Body: {"url": "{url}"}

Step 2 — 發送請求與解析 (Fetch & Parse)

執行以下 curl 指令(請將 {url} 替換為實際連結):

curl -X POST [https://api.cobalt.tools/api/json](https://api.cobalt.tools/api/json) \
     -H "Content-Type: application/json" \
     -H "Accept: application/json" \
     -d '{"url": "{url}"}'

Comments

Loading comments...