ClawHub

Keyapi Instagram User Analysis

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a legitimate KeyAPI Instagram analysis helper, but it includes a broader generic MCP runner and stores sensitive data locally in ways users should review first.

Install only if you trust KeyAPI and intend to use this broader MCP runner. Keep KEYAPI_TOKEN out of source control, avoid KEYAPI_SERVER_URL overrides unless you know the endpoint, use --platform instagram explicitly, consider --no-cache for sensitive lookups, and delete .keyapi-cache and .env when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The skill is presented as an Instagram-specific analysis workflow, but the documented runner supports generic remote tool enumeration, schema inspection, multi-platform operation, and arbitrary tool execution against an external MCP server using the user's bearer token. That broader capability increases the attack surface: a user expecting narrow Instagram analysis could instead authorize actions or data access beyond the advertised scope, especially if the remote server exposes additional tools.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script is a generic MCP runner that can invoke any server-exposed tool on any supported platform, while the declared skill is specifically for Instagram user analysis. This overbroad capability expands the attack surface, enables unintended data access or actions outside the skill's purpose, and violates least-privilege expectations for a narrowly scoped skill.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code exposes tool schema enumeration and arbitrary remote tool execution through user-controlled arguments, which is broader than necessary for an Instagram user analysis skill. An attacker or unintended caller can discover available capabilities and invoke unrelated tools, facilitating misuse, reconnaissance, or access to data outside the advertised function.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs users to cache API responses containing Instagram profile, content, and social-graph data under a local `.keyapi-cache/` directory, but it does not prominently warn about retention, sensitivity, sharing risk, or cleanup. Local persistence of profile intelligence can expose personal or regulated data to other local users, backups, logs, or accidental publication, especially when analyzing non-publicly contextualized relationship data at scale.

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
Execute tool calls and persist responses to the local cache to avoid redundant API calls.

**Calling a tool:**

```bash
# Single call with pretty output
Confidence
90% confidence
Finding
tool:*

Credential Access

High
Category
Privilege Escalation
Content
// ── MCP client ────────────────────────────────────────────────────────────────

/** Prompt for KEYAPI_TOKEN interactively and persist it to .env */
async function promptToken() {
  if (!process.stdin.isTTY) {
    throw new Error(
Confidence
84% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
reject(new Error("No token entered. Set KEYAPI_TOKEN and try again."));
        return;
      }
      const envPath = join(ROOT, ".env");
      writeFileSync(envPath, `KEYAPI_TOKEN=${token}\n`, "utf8");
      log(`[token] Saved to ${envPath} — future runs will load it automatically`);
      process.env.KEYAPI_TOKEN = token;
Confidence
90% confidence
Finding
.env"

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal