instagram-saver
PassAudited by ClawScan on May 1, 2026.
Overview
This looks like a straightforward Instagram downloader, but it sends pasted Instagram links to Cobalt through a curl request.
This skill appears safe for its stated purpose if you are comfortable sending the Instagram link to Cobalt. Use it only with links you intend to download, avoid private or sensitive URLs, and do not provide Instagram credentials or cookies.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malformed or crafted pasted link could cause the command to fail or be misdirected if substituted unsafely.
The skill tells the agent to execute a shell command and substitute a user-provided URL. This is purpose-aligned, but raw shell substitution should be handled carefully.
執行以下 `curl` 指令(請將 `{url}` 替換為實際連結)Only run it for intended Instagram URLs, validate the URL, and construct the curl request without directly shell-interpolating untrusted text.
Cobalt can see the Instagram URL being processed, which may matter for private or sensitive links.
The workflow sends the pasted Instagram URL to the external Cobalt API. This is disclosed and central to the skill, but it means the third-party service receives the link.
API Endpoint: `https://api.cobalt.tools/api/json` ... Body: `{"url": "{url}"}`Use only links you are comfortable sharing with Cobalt, and do not provide cookies, passwords, or private account credentials.