Instagram Publish

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it helps publish a user-provided image to Instagram using the user's own Meta access token.

Before installing, understand that this script can publish to your Instagram account with the access token you provide. Keep the token out of git, create the missing .env file manually if needed, use --dry-run first, and revoke the token immediately if it leaks.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill documentation instructs use of environment variables, reading a local .env file, and making outbound network requests, but no declared permissions are described alongside those capabilities. Even if the behavior is expected for an Instagram publishing skill, the mismatch reduces transparency and can lead users or host systems to grant broader access than they realize.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal