ClawHub

instagram-digest

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does the advertised Instagram digest workflow, but it can store a reusable Instagram login session on disk without clear user-facing controls.

Review before installing. Use an isolated Python environment, pin or lock dependencies, provide only a throwaway Instagram account if login is needed, delete scripts/.instagram_session.json when finished or when access should be revoked, and only track content you are comfortable sending to OpenRouter for summarization.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (27)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation declares required environment variables and operational behavior that imply network access, reading environment secrets, and writing files, but it does not declare permissions accordingly. This weakens user and platform visibility into what the skill can do, increasing the chance of unintended secret access, network exfiltration, or filesystem modification without informed approval.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The described behavior understates what the skill actually does: it logs into Instagram, stores reusable session cookies locally, downloads media assets, and operates on a fixed account list. This mismatch is dangerous because users may authorize the skill expecting a simple local summarizer, while it actually handles credentials, persists authenticated state, and performs broader data collection than disclosed.

Intent-Code Divergence

Medium
Confidence
77% confidence
Finding
The documentation says the skill only writes a local digest.html, but later refers to the digest being 'sent' and to skipping email sending. That inconsistency can mislead users about outbound communication and whether generated content may be transmitted beyond the local machine.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The code performs an authenticated Instagram login using local credentials and saves a reusable browser storage state to disk, which materially expands the skill's capabilities beyond simple public scraping. In this skill context, persistent authenticated access creates unnecessary access to account-scoped data and increases the blast radius if the host is shared or the session file is stolen.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Defining a fixed on-disk session file for Instagram cookies enables persistent authenticated state across runs, which is unnecessary for a digest generator aimed at public reels. In this context, the stored session can be copied or reused by other local processes or users, effectively granting continued access to the Instagram account without re-authentication.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill states that transcripts are summarized via OpenRouter but does not clearly warn users that scraped audio-derived content is sent to an external third-party service. This creates a data exposure risk because potentially sensitive or copyrighted content may leave the local environment without explicit, prominent notice or consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code sends reel transcripts and captions to OpenRouter, a third-party API, without any visible consent, minimization, or disclosure mechanism in this component. Because transcripts and captions may contain personal, sensitive, or copyrighted content, this creates a real data exfiltration/privacy risk rather than a purely theoretical issue.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code writes browser storage state containing cookies and potentially other authenticated session material to disk without any explicit warning or protective handling. That makes credential-like artifacts easy to overlook and increases the chance of accidental exposure through backups, source-control mistakes, or multi-user systems.

Unpinned Dependencies

Low
Category
Supply Chain
Content
anthropic
playwright
python-dotenv
requests
Confidence
94% confidence
Finding
anthropic

Unpinned Dependencies

Low
Category
Supply Chain
Content
anthropic
playwright
python-dotenv
requests
yt-dlp
Confidence
94% confidence
Finding
playwright

Unpinned Dependencies

Low
Category
Supply Chain
Content
anthropic
playwright
python-dotenv
requests
yt-dlp
faster-whisper
Confidence
93% confidence
Finding
python-dotenv

Unpinned Dependencies

Low
Category
Supply Chain
Content
anthropic
playwright
python-dotenv
requests
yt-dlp
faster-whisper
Confidence
98% confidence
Finding
requests

Unpinned Dependencies

Low
Category
Supply Chain
Content
playwright
python-dotenv
requests
yt-dlp
faster-whisper
Confidence
98% confidence
Finding
yt-dlp

Unpinned Dependencies

Low
Category
Supply Chain
Content
python-dotenv
requests
yt-dlp
faster-whisper
Confidence
92% confidence
Finding
faster-whisper

Unpinned Dependencies

Low
Category
Supply Chain
Content
openai
playwright
python-dotenv
requests
Confidence
93% confidence
Finding
openai

Unpinned Dependencies

Low
Category
Supply Chain
Content
openai
playwright
python-dotenv
requests
yt-dlp
Confidence
93% confidence
Finding
playwright

Unpinned Dependencies

Low
Category
Supply Chain
Content
openai
playwright
python-dotenv
requests
yt-dlp
faster-whisper
Confidence
95% confidence
Finding
python-dotenv

Unpinned Dependencies

Low
Category
Supply Chain
Content
openai
playwright
python-dotenv
requests
yt-dlp
faster-whisper
Confidence
96% confidence
Finding
requests

Unpinned Dependencies

Low
Category
Supply Chain
Content
playwright
python-dotenv
requests
yt-dlp
faster-whisper
Confidence
97% confidence
Finding
yt-dlp

Unpinned Dependencies

Low
Category
Supply Chain
Content
python-dotenv
requests
yt-dlp
faster-whisper
Confidence
92% confidence
Finding
faster-whisper

Known Vulnerable Dependency: anthropic — 2 advisory(ies): CVE-2026-34450 (Claude SDK for Python has Insecure Default File Permissions in Local Filesystem ); CVE-2026-34452 (Claude SDK for Python: Memory Tool Path Validation Race Condition Allows Sandbox)

Low
Category
Supply Chain
Confidence
71% confidence
Finding
anthropic

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
75% confidence
Finding
python-dotenv

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
95% confidence
Finding
requests

Known Vulnerable Dependency: yt-dlp — 7 advisory(ies): CVE-2023-46121 (yt-dlp Generic Extractor MITM Vulnerability via Arbitrary Proxy Injection); GHSA-3v33-3wmw-3785 (yt-dlp has dependency on potentially malicious third-party code in Douyu extract); CVE-2023-40581 ( yt-dlp on Windows vulnerable to `--exec` command injection when using `%q`) +4 more

High
Category
Supply Chain
Confidence
96% confidence
Finding
yt-dlp

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
76% confidence
Finding
python-dotenv

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal