Instagram Page
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Instagram Graph API helper, but it uses long-lived Instagram/Meta credentials and can publish or moderate public content, so it should be used carefully.
Install only if you trust the publisher and intend to let the agent manage an Instagram Business/Creator account. Keep the credentials.json file private, delete IG_APP_SECRET after setup, grant minimal Meta permissions, and manually confirm any publish, delete, hide, or reply action before it is sent.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the token file is exposed or used incorrectly, actions may be taken through the connected Instagram Business/Creator account within the granted permissions.
The skill depends on a sensitive local credential file containing a long-lived Instagram/Meta access token and optional app credentials.
"primaryCredential": { ... "fields": ["IG_ACCESS_TOKEN", "IG_USER_ID", "IG_APP_ID", "IG_APP_SECRET"], ... "sensitive": trueGrant only the minimum Meta permissions needed, restrict the file to the current user, delete IG_APP_SECRET after setup, and rotate the access token if the machine or file is exposed.
A mistaken media ID, comment ID, caption, or publish action could create or remove public Instagram content.
The documented API calls include public publishing and comment moderation operations. These are aligned with the skill's purpose but can change public account content.
| Post single photo | POST x2 ... | Reply to comment | POST ... | Delete comment | DELETE ... | Hide/show comment | POST |
Before publishing, deleting, hiding, or replying, review the target account, media/comment IDs, captions, and media URLs; consider requiring a final user confirmation for these actions.
Users may not see the credential requirement from registry fields alone and should read the skill instructions before use.
The registry-level metadata has limited provenance and appears to under-declare the credential/config path, while the skill text and _meta.json disclose the credential file.
Source: unknown; Homepage: none; Required config paths: none; Primary credential: none
Verify the commands against Meta's official Graph API documentation and confirm the credential file path and permissions before installing or invoking the skill.