Itinerary Carousel Post Topaz
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a disclosed Instagram carousel automation, but it can publicly push images and publish posts with account tokens without clear confirmation boundaries.
Use this only if you control the target Instagram account and GitHub repository, trust the referenced helper skills, and are comfortable providing scoped Topaz and Instagram credentials. Review the generated slides and caption before allowing any git push or Instagram publish step.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run end-to-end, the agent could publish a carousel to the configured Instagram account.
The workflow directly calls the Instagram Graph API publish endpoint using an access token. Publishing is purpose-aligned, but the provided instructions do not show a final approval or preview gate before public posting.
### Sub-agent 3: Publish to Instagram ... **Publish**: curl -s -X POST "https://graph.facebook.com/v21.0/${IG_USER}/media_publish"Add an explicit final confirmation step showing the account, images, caption, and destination before calling media_publish.
Generated images may become publicly accessible on GitHub before or in addition to being posted on Instagram.
The workflow first pushes generated images to a public GitHub repository/CDN and then uses those URLs for Instagram publishing. A bad image, caption, or file overwrite could propagate to multiple public locations.
Host images publicly — copy slides to tabiji repo (`img/instagram/`), git push, use raw GitHub URLs (`https://raw.githubusercontent.com/psyduckler/tabiji/main/img/instagram/slide-{N}.jpg`).Require user confirmation before git push, avoid hard-coded repository destinations, use unique filenames, and document cleanup or rollback steps.
The agent needs access to credentials that can spend Topaz API quota and publish to an Instagram account.
The skill uses a local Topaz API key and an Instagram access token. This is expected for Topaz enhancement and Instagram publishing, but the registry metadata declares no required credentials.
TOPAZ_API_KEY=$(security find-generic-password -s "topaz-api-key" -w) ... --header "X-API-Key: ${TOPAZ_API_KEY}" ... -d "access_token=${IG_TOKEN}"Use narrowly scoped tokens, confirm the intended Instagram user ID, and declare required credentials in the skill metadata.
Part of the workflow depends on code or skills that were not reviewed here.
The instruction-only skill depends on external skill workflows and a local Python script that are not included in the provided artifact set.
Use the `instagram-photo-find` skill workflow ... python3 skills/instagram-photo-text-overlay/scripts/overlay.py
Install and review the referenced skills/scripts before use, and declare them as dependencies.