auto-reply
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Instagram DM auto-reply skill, but it needs review because it uses your logged-in browser session to read/send DMs, can run persistently, forwards DM previews to Discord, and uses unsafe shell command execution.
Install only if you intentionally want an agent to access your logged-in Instagram session, read private DMs, and potentially send replies. Use a dedicated browser profile/account, review or disable the Discord forwarding and cron watcher, add a human confirmation step before replies, and pin/install dependencies from trusted sources.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can act as the logged-in Instagram account, including reading private DMs and sending replies through that session.
The script extracts Instagram cookies from the logged-in local browser session and uses them for direct Instagram API calls, while the registry declares no primary credential or required env vars.
method: 'Storage.getCookies' ... const cookieStr = igCookies.map(c => `${c.name}=${c.value}`).join('; ');Treat this as a browser-session credential. Use a dedicated browser profile/account, clearly declare the credential requirement, and require explicit approval before any write action.
The agent could send private messages from the user's Instagram account without a clear final human review step.
The documented workflow lets the agent generate and send Instagram DM replies, but the artifacts do not define confirmation, allowlists, rate limits, or rollback for account-mutating messages.
AI generates replies for `needs_reply` DMs → send via `v2.js reply`
Add a mandatory confirmation step before `reply`, restrict recipients or scenarios, log proposed replies, and make auto-send opt-in rather than the default workflow.
If an unexpected username/thread value contains shell metacharacters, it could cause unintended local command execution.
The watcher builds a shell command string containing `dm.username`, which comes from Instagram API data, rather than passing arguments safely.
const readResult = execSync(`node "${CLI_PATH}" read "${dm.username}" -l 3`, { timeout: 15000, encoding: 'utf8' });Replace `execSync` shell strings with `execFileSync` or `spawn` using an argument array, and validate usernames before use.
A malicious DM could try to influence the agent's next actions or replies through the notification text.
The notification path emits raw Instagram DM text, and SKILL.md recommends running this command as a cron `systemEvent`, so untrusted sender text can enter the agent session before robust instruction-boundary handling.
text: (lastItem.text || lastItem.item_type || '').substring(0, 60) ... console.log(`📩 인스타 새 DM ${newMessages.length}건:\n${lines.join('\n')}`);Mark all DM text as untrusted data, avoid injecting it as a high-authority system event, and run security filtering before placing message content in the agent context.
Private Instagram DM content may be copied to Discord unexpectedly if those environment variables exist in the runtime.
The watcher can send private Instagram DM previews to Discord using `DISCORD_TOKEN` and `OWNER_DISCORD_ID`, but those environment variables are not declared in the registry metadata and the send is triggered whenever the token is present.
const alertMsg = `📩 인스타 새 DM ${newDMs.length}건\n${msgPreview}\n\ndm-alert.json 확인하고 답장해줘...`; await sendMsg(token, dm.id, alertMsg);Declare the Discord credential and destination, make forwarding explicitly opt-in, redact message previews by default, and require the user to confirm the Discord recipient.
Setup may require installing unpinned packages, which makes provenance and reproducibility weaker.
The scripts depend on external Node packages, but the artifact set has no install spec or lockfile and SKILL.md only explicitly calls out `ws`.
const WebSocket = require('ws'); const { program } = require('commander');Provide a package.json/lockfile or declare exact dependency versions and installation steps.
If enabled, the skill may continue monitoring DMs in the background until the cron job or process is removed.
The documented cron example can start a long-running watcher automatically at reboot.
schedule: "@reboot" ... command: "node /path/to/scripts/dm-watcher.js --auto-reply" ... background: true
Only enable the reboot watcher intentionally, document how to stop it, and avoid enabling auto-reply persistence without explicit user consent.