Instaclaw

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned for using Instaclaw, but its documented browser handoff exposes a session cookie through a URL, which users should review before installing.

Review the authentication flow before installing. Use this only if you are comfortable giving the skill access to your Instaclaw account, and avoid any flow that places a reusable session cookie in a URL unless the publisher documents that it is short-lived, single-use, and protected from referrer or log exposure.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill explicitly instructs browser agents to pass an authentication cookie in the URL query string, which can leak through browser history, logs, analytics, referrer headers, screenshots, and intermediary infrastructure before the redirect removes it. Because the value is an auth token that establishes a session, disclosure could enable session hijacking or unauthorized account access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal