Keyapi Instagram User Analysis
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: keyapi-instagram-user-analysis Version: 1.0.0 The skill bundle provides a legitimate interface for Instagram data analysis via the KeyAPI MCP service. The primary logic in `scripts/run.js` facilitates API communication, local caching, and pagination using the official Model Context Protocol SDK. No evidence of data exfiltration, malicious execution, or harmful prompt injection was found; the script's behavior, including writing API tokens to a local `.env` file and caching results in `.keyapi-cache`, is consistent with its stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent could query unintended KeyAPI tools or fetch more social-graph data than expected.
The helper is a generic KeyAPI MCP runner rather than a narrowly hardcoded Instagram-only wrapper. This is useful for the documented workflow, but it means the agent or user can choose tool names, platforms, pagination breadth, and output paths.
Calls any KeyAPI MCP tool with built-in caching, auto-pagination... --tool <name> ... --platform <name> ... --all-pages ... --output <path>
Use explicit Instagram platform/tool names, inspect schemas before calls, and avoid broad --all-pages runs unless you intend to collect a large result set.
Anyone with access to the skill directory or a committed .env file could obtain the API token.
The runner can persist the KeyAPI token into a local .env file after an interactive prompt. This is disclosed setup behavior for the provider API, but it stores a credential on disk.
writeFileSync(envPath, `KEYAPI_TOKEN=${token}\n`, "utf8"); ... process.env.KEYAPI_TOKEN = token;Do not commit .env files, restrict local file permissions, and prefer short-lived or limited-scope tokens if KeyAPI supports them.
Installing later dependency versions could change runtime behavior compared with the reviewed package metadata.
The skill depends on an npm package using a non-exact version range. This is normal for Node-based MCP tooling, but future compatible package versions may be installed unless a lockfile or pinned version is used.
"dependencies": { "@modelcontextprotocol/sdk": "^1.10.2" }Install in an isolated directory, consider using a lockfile or exact dependency version, and verify package provenance before running npm install.
Cached analysis results can reveal which accounts were researched and may contain social-profile data accessible to other local users.
API responses are cached locally by default. For this skill, those responses may include Instagram profile, content, follower/following, story, or related-account data.
Deterministic cache path: .keyapi-cache/YYYY-MM-DD/<tool>/<hash>.json
Use --no-cache for sensitive lookups, review or delete .keyapi-cache after use, and avoid running the skill from shared directories.