Skillv1.0.0

ClawScan security

Itinerary Carousel Post · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 17, 2026, 4:41 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's stated purpose (make & publish an Instagram carousel) is plausible, but the runtime instructions assume access to secrets, repo layout, local scripts, and other skills that are not declared — the pieces don't add up and could expose sensitive credentials or require broad access.
Guidance: This skill's workflow looks plausible for publishing Instagram carousels, but it assumes access to secrets and resources that are not declared: an Instagram Graph API token and account ID (stored in your macOS Keychain), write access to a specific GitHub repo (psyduckler/tabiji), and a local overlay script plus another skill for photo-finding. Before installing or running this skill, verify: (1) who authored the skill and whether it is intended to run in your environment; (2) you are comfortable granting access to your Instagram API token and any git credentials — prefer short-lived tokens or a dedicated account; (3) the referenced local scripts and repo exist and are safe; (4) run it in a sandboxed environment first (no access to your primary keychain or production repos). If you cannot confirm those points, do not provide real credentials or repo write access and consider rejecting the skill.

Review Dimensions

Purpose & Capability: concernThe high-level purpose (sourcing photos, applying overlays, publishing a carousel) matches the steps in SKILL.md, but the instructions assume access to: a specific GitHub repo (psyduckler/tabiji), local overlay scripts at skills/instagram-photo-text-overlay/scripts/overlay.py, and an 'instagram-photo-find' skill workflow. None of these dependencies, paths, or credentials are declared in the skill metadata — this is disproportionate to the stated simple publish task and indicates hidden operational requirements.
Instruction Scope: concernInstructions tell the agent to: run web searches and curl to download Instagram images, read Instagram tokens from macOS Keychain, copy images into a repo and git push/delete files, call the Graph API with ${IG_TOKEN}/${IG_USER}, and clean up local files. The SKILL.md references secrets (instagram-access-token, instagram-account-id) and local repo paths that are not listed in requires.env or requires.config. It also references other local scripts and a separate skill. These are sensitive operations and the instructions reach outside a narrowly scoped 'publish' task (accessing keychain and pushing to repositories).
Install Mechanism: okNo install spec and no code files are included, which is low-risk from an installation perspective. However, the runtime assumes local Python overlay scripts and other skills that are not provided — meaning the agent will fail unless those external artifacts exist or it has network access to fetch them.
Credentials: concernThe skill does not declare any required environment variables or credentials, yet the instructions require an Instagram Graph API access token and an account ID (and reference retrieving keys from macOS Keychain). It also requires push access to a GitHub repo (implying git credentials). Requesting account tokens and repository write access is sensitive and should be explicitly declared and minimized. The mismatch between declared and required credentials is a red flag.
Persistence & Privilege: okThe skill is not always-included and does not request elevated platform privileges. It does, however, instruct the agent to modify a remote repo (git push / git rm), which requires credentials and grants external persistence of images; that operational effect is significant but not encoded as a platform permission in the skill metadata.