Instagram Scraper

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Instagram public-profile scraper, but users should understand it sends requests to Instagram and stores results locally.

Install only if you are comfortable making outbound requests to Instagram's infrastructure and storing scraped public profile/post data on disk. Use conservative rate limits, verify that your use complies with Instagram's terms and your organization's policies, and delete files under ./storage/instagram/ when they are no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Low

Confidence: 90% confidence
Finding: The skill explicitly states that scraped Instagram profile data is saved to `./storage/instagram/<username>.json`, but the skill description does not warn users that local files will be created. This can lead to unexpected retention of scraped data on disk, which matters in shared environments, ephemeral agents, or workflows handling sensitive research targets.

Missing User Warnings

Low

Confidence: 91% confidence
Finding: The skill description does not warn that requested usernames and related request metadata will be transmitted to Instagram's servers via an internal API. Even though the target data is public, this creates privacy, compliance, and operational visibility concerns because user queries may be logged by Instagram or intermediaries and may violate platform terms or internal policy.

VirusTotal

No VirusTotal findings

View on VirusTotal