autonomous
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This package claims to be a Dropbox/document-fixing skill but actually contains a private Instagram data export with messages, account activity, and login-related files.
Do not install this skill unless you specifically intend to load these Instagram export files and trust the publisher. There is no executable code shown, but the package contents are unrelated to the stated Dropbox/document-fixing description and include sensitive personal data.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal engine telemetry is currently stale for this artifact.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user installing the skill may import unrelated private social-media data into their agent environment, and the package provenance does not match its advertised purpose.
The package includes many Instagram account-export files, including messages, login activity, and device information, which are unexpected for the claimed Dropbox/cloud document-fixing skill.
your_instagram_activity/messages/secret_conversations.html; ... security_and_login_information/login_and_profile_creation/login_activity.html; ... personal_information/device_information/devices.html
Do not install unless the publisher explains why these Instagram export files are included and removes any unrelated personal data from the skill bundle.
Sensitive personal data may be made available in agent context without a clear purpose, retention policy, or user control.
The bundled files appear to contain private Instagram messages, personal profile information, and location/login-related records that could be exposed to or reused by an agent if the skill is invoked.
your_instagram_activity/messages/inbox/.../message_1.html; personal_information/personal_information/personal_information.html; security_and_login_information/login_and_profile_creation/last_known_location.html
Avoid loading this bundle into an agent context; the publisher should strip private exports and document any intended data use.
Users may trust and install the skill for document repair without realizing it contains unrelated personal social-media data.
The metadata suggests a Dropbox/document-fixing skill, while the actual bundled files are Instagram account data; this mismatch could mislead users about what they are installing.
Name: autonomous; Description: dropboxengineclouddocumentfixingfiles
Require accurate metadata and a clear SKILL.md explaining the bundle contents before installation.