Unipile Instagram Sdk
v1.0.6Access Instagram messaging, profiles, posts, and interactions via Unipile's official Node.js SDK for automation and content management.
⭐ 1· 82·0 current·0 all-time
byMohit Yadav@mohit21gojs
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill advertises Unipile Instagram access and its runtime files and SKILL.md require Unipile credentials (UNIPILE_DSN, UNIPILE_ACCESS_TOKEN) and optionally UNIPILE_PERMISSIONS — these are appropriate and expected for the described functionality. Note: the platform-level requirement summary at the top incorrectly listed "Required env vars: none," which conflicts with SKILL.md and the CLI code that enforce those environment variables.
Instruction Scope
SKILL.md and scripts/instagram.mjs only instruct usage of the Unipile SDK/Unipile API and local CLI commands; they do not instruct reading unrelated system files, other credentials, or sending data to third-party endpoints beyond the Unipile DSN. The skill enforces a read/write permission model via UNIPILE_PERMISSIONS and exits when required env vars are missing.
Install Mechanism
There is no automated install spec in the platform manifest, but SKILL.md instructs users to run npm install in the skill workspace and package.json depends on 'unipile-node-sdk' from the npm registry. Using npm is normal for this Node.js CLI; package-lock.json is present which helps reproducibility. This is moderate-risk (public npm dependency) but coherent with the skill's purpose.
Credentials
Requested environment variables (UNIPILE_DSN, UNIPILE_ACCESS_TOKEN, optional UNIPILE_PERMISSIONS) are proportional to the skill's capabilities. The primary credential is UNIPILE_ACCESS_TOKEN which correctly maps to full API access. Again, platform metadata omission of these required env vars is inconsistent with the SKILL.md and code.
Persistence & Privilege
The skill does not request always: true and does not modify other skills or system configuration. It can be invoked autonomously (disable-model-invocation: false), which is the platform default — note that autonomous use combined with write permissions (if granted) allows the agent to perform actions like sending DMs or creating posts, so you should limit UNIPILE_PERMISSIONS if you want read-only behavior.
Assessment
What to consider before installing:
- This skill legitimately needs UNIPILE_DSN and UNIPILE_ACCESS_TOKEN to function; those credentials grant API-level control over connected Instagram accounts. Only install if you trust Unipile and understand that these tokens can read and (if permitted) write as those accounts.
- Prefer UNIPILE_PERMISSIONS=read for safer, view-only use. Only grant write permissions when you explicitly need actions (send DMs, create posts).
- Verify the 'unipile-node-sdk' package on npm/GitHub (review repo, recent releases, maintainers) before running npm install.
- The platform metadata omitted the required env vars, but SKILL.md and the CLI enforce them — treat SKILL.md/code as authoritative and ask the publisher to correct the platform metadata if needed.
- Because the agent can run autonomously, be cautious about enabling write access; consider setting explicit guardrails (use a dedicated Instagram account, rotate tokens regularly, monitor Unipile dashboard for unexpected activity).
- If you are not already a Unipile user, or you cannot verify the Unipile SDK package/source, do not install. If uncertain, ask the publisher for proof-of-origin (official Unipile repo link) or request the skill be approved by someone who manages your social accounts.Like a lobster shell, security has layers — review code before you run it.
latestvk972a0xqsajy7eh0nxmg7f0v7183qa58
License
MIT-0
Free to use, modify, and redistribute. No attribution required.