ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Instagram Api

v1.1.1

Post to Instagram (Feed, Story, Reels, Carousel) and Threads using the official Meta Graph API. Requires Imgur for media hosting.

0· 1.6k·7 current·7 all-time
byTomas@lifeissea
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description (Instagram/Threads posting via Meta Graph and Imgur) aligns with the code: scripts upload media to Imgur and call Meta/Threads Graph endpoints. Required credentials (Instagram token, business account id, Imgur client id) are appropriate for the described functionality.
!
Instruction Scope
post-threads.sh sources ~/.openclaw/.env if present and invokes an absolute path (/Users/tomas/.openclaw/workspace/scripts/utils/clean_md.py) to preprocess captions. Sourcing a user dotfile can execute arbitrary commands from the file; calling a hard-coded local script outside the skill bundle is unexpected and could read/process local data or execute arbitrary code. Scripts also write logs to ~/logs/sns — expected, but note creation of local logs.
Install Mechanism
No install spec (instruction-only with included scripts). No remote downloads or extract steps in the skill itself. Scripts rely on python3 available at runtime (embedded inline Python).
Credentials
Declared required env vars (INSTAGRAM_ACCESS_TOKEN, INSTAGRAM_BUSINESS_ACCOUNT_ID, IMGUR_CLIENT_ID) are proportional to purpose. Threads uses THREADS_ACCESS_TOKEN and THREADS_USER_ID (documented as optional in body but not listed in the top requires_env YAML), which is a minor mismatch. The script's sourcing of ~/.openclaw/.env expands environment access beyond explicit env variables and may load sensitive values or execute code.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges. It creates application logs under ~/logs/sns and may source ~/.openclaw/.env, but it does not modify other skills or system configuration.
What to consider before installing
This skill appears to do what it says (upload media to Imgur and post via Meta Graph/Threads), but exercise caution before installing. Two red flags: (1) post-threads.sh will source ~/.openclaw/.env if present — sourcing a dotfile can execute arbitrary shell commands stored there; ensure that file contains only harmless environment variable exports or remove that line. (2) post-threads.sh calls a hard-coded local script /Users/tomas/.openclaw/.../clean_md.py which is outside the skill bundle; that is likely a leftover development reference and could execute arbitrary local code or read local files. Before use, either remove/replace that call with a bundled or remote-safe routine, or ensure the referenced path is absent or trusted. Also verify you are comfortable providing the Instagram/Threads tokens and Imgur Client ID (they grant posting access). If you proceed, inspect and sanitize the scripts (remove sourcing and hard-coded paths), run them in a restricted account or container, and avoid storing long-lived secrets in shared dotfiles.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bfftfejtjnd9rq7yzpr0j6h81vca3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments