Instagram auto reply comments with DMs
ReviewAudited by ClawScan on May 1, 2026.
Overview
The skill is coherently designed to automate Instagram comment-to-DM funnels, but it uses sensitive Instagram messaging permissions and can start persistent automated DM monitors.
Install only if you want Upload-Post to manage Instagram comment-to-DM automation for a connected Instagram Business account. Before approving any run, confirm the profile, post URL, DM content, trigger keywords, and whether monitoring should persist. Prefer keyword filters, keep the API key secure, verify provider compliance/privacy terms, and stop or delete monitors when finished.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the wrong post, profile, message, or keywords are used, the user’s Instagram account could send unintended DMs.
The skill instructs the agent to call an API endpoint that starts automated Instagram DM sending. This is purpose-aligned, but it is a high-impact action that should be user-confirmed and carefully parameterized.
curl -X POST "https://api.upload-post.com/api/uploadposts/autodms/start" ... "reply_message": "Hey! Here is your guide" ... "trigger_keywords": ["guide", "link"]
Confirm the exact Instagram profile, post URL, DM text, trigger keywords, and whether monitoring should be one-shot or persistent before allowing the action.
The Upload-Post API key can enable actions and access tied to the user’s Instagram Business account.
The connected Instagram account grants permissions to read comments, read/send DMs, and access basic account information. These are expected for the use case but sensitive.
instagram_business_manage_messages — send and read DMs; instagram_business_manage_comments — read comments; instagram_business_basic — account info
Use a dedicated Upload-Post profile/API key where possible, store the key securely, and revoke or rotate it if no longer needed.
DM automation may continue after the chat ends unless the monitor is stopped or deleted.
The skill can create remote background automation that continues after the current agent session. The artifact discloses this and instructs confirmation, so this is a persistence note rather than a concern.
Persistent monitors run on Upload-Post's servers for up to 15 days, even after the agent session ends. Always confirm with the user before starting a monitor
Record the returned monitor ID, review monitor status/logs, and stop or delete the monitor when the funnel is no longer needed.
A simple configuration mistake could result in many unintended DMs and possible spam complaints.
A missing trigger keyword filter can expand the automation from targeted replies to every commenter on a post.
If omitted, ALL commenters receive a DM — use with caution.
Prefer explicit trigger keywords and test with a small or one-shot run before enabling persistent monitoring.
Commenter identities and conversation replies may be used by the automation and should be treated as sensitive lead/conversation data.
The service maintains interaction state and may process DM replies. This is purpose-aligned, but it involves persistent customer/conversation data.
Tracks who's been contacted to avoid duplicates; Optionally monitors DM replies for follow-up conversations
Review Upload-Post’s data retention and privacy practices, and avoid routing highly sensitive conversations through automated follow-up workflows.