Reddit Quote Carousel Topaz
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is clear about making a Reddit-quote Instagram carousel, but it also uses local account credentials and can push/publish public content without a visible approval checkpoint.
Review this skill carefully before installing. It appears purpose-aligned for creating a carousel, but you should require a manual preview and approval before any Instagram publish, git push, or cleanup step, and verify which Keychain credentials and helper scripts it will use.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could post publicly or change hosted repository files as part of the workflow, potentially before the user has reviewed the final images, captions, or cleanup scope.
Publishing to Instagram, pushing to a repository, and cleaning up hosted images are high-impact mutations. The provided instructions make them part of the default pipeline and do not show a final approval or scope check before publication/deletion.
### Sub-agent 3: Publish to Instagram 1. Host images in tabiji repo (`img/instagram/`), git push, use raw GitHub URLs 2. Create carousel item containers 3. Create carousel container with caption 4. Publish 5. Get permalink 6. Cleanup hosted images + local temp files
Add an explicit preview-and-confirm step before git push, Instagram publish, or hosted-image cleanup, and scope cleanup to exact generated filenames only.
Installing or invoking the skill could let the agent use local Instagram and Topaz credentials to spend API quota and publish to the configured account.
The skill reads local Keychain credentials for an Instagram account and Topaz API. The registry metadata declares no primary credential, required env vars, or OS restriction, and the shown instructions do not bound token scope or require user confirmation before account use.
## Instagram API Auth Keys from macOS Keychain: - `instagram-access-token` — Graph API token - `instagram-account-id` — IG user ID (17841449394591017) ## Topaz API Auth - `topaz-api-key` — Topaz Labs API key (macOS Keychain)
Declare required credentials and OS requirements in metadata, document the exact scopes needed, and require confirmation before using the Instagram publishing token.
The workflow may fail on other machines or run code that was not part of this reviewed skill package.
The workflow depends on a hard-coded local helper script from another skill path that is not included in the supplied artifact set. This may be benign, but the dependency and provenance are not declared in install metadata.
python3 /Users/psy/.openclaw/workspace/skills/instagram-photo-text-overlay/scripts/overlay.py
Declare the helper skill as a dependency, avoid hard-coded personal paths, and ensure users can review the overlay script before it is invoked.
Photos selected for the carousel are uploaded to an external image-enhancement provider and may be subject to that provider's retention and usage policies.
The skill sends selected image files to Topaz Labs for enhancement. This is purpose-aligned and disclosed, but it is still an external provider data flow that users should understand.
curl --request POST \
--url https://api.topazlabs.com/image/v1/enhance \
--header "X-API-Key: ${TOPAZ_API_KEY}" \
...
--form "image=@/tmp/ig-reddit-quote/${slug}-best.jpg"Use only images the user is comfortable uploading to Topaz, and document the provider data handling expectations.