ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Instagram Skill via cyberdrk/gram CLI

v1.0.0

Instagram CLI for viewing feeds, posts, profiles, and engagement via cookies.

5· 3.1k·8 current·8 all-time
by@arein
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binary ('gram'), and the install spec for @cyberdrk/gram align with an Instagram CLI that authenticates with cookies and performs read and engagement actions.
!
Instruction Scope
Instructions explicitly describe extracting cookies from browser profiles or accepting sessionid/csrf/ds_user_id tokens. Reading browser profile dirs or cookie DBs can expose other site cookies if misused; the skill also supports actions (like, comment, follow) which can modify the user's account. These behaviors are coherent with the stated purpose but are sensitive and should be handled carefully.
Install Mechanism
Install is an npm package (@cyberdrk/gram) which is a typical distribution method for CLIs. Npm packages are moderate risk compared to pre-vetted system packages — verify publisher/release and review package before global install.
Credentials
No required environment variables or unrelated credentials are declared. The skill expects cookie/session tokens or access to browser cookie stores — that is proportionate to Instagram access but is high-sensitivity data.
!
Persistence & Privilege
always:false (good). However, the skill can perform account-changing actions (like/comment/follow). If the agent is allowed to invoke the skill autonomously, it could perform those actions on your behalf — consider restricting autonomous invocation or requiring explicit user confirmation for engagement commands.
Assessment
This skill appears to do what it says (an Instagram CLI using cookies) but it requires sensitive access: you must provide Instagram session cookies or point it at browser profile cookie DBs. Before installing or using it: 1) Verify the npm package and maintainer (review the GitHub repo and npm page) instead of blindly trusting the package name. 2) Prefer supplying cookies/tokens manually (via --session-id, --csrf-token, --ds-user-id) rather than giving the tool a browser profile directory so it cannot read unrelated cookies. 3) If you do allow cookie extraction, limit the path you give it and run it in a safe environment; browser cookie DBs may contain other sites' credentials. 4) Be cautious with engagement commands (like/comment/follow) — consider using the tool read-only or requiring confirmation before any action that changes your account. 5) Avoid global installs on sensitive machines; consider containerizing or running in a throwaway environment. 6) If you enable agent/autonomous invocation, restrict or monitor it to prevent unexpected actions on your account. If you want more assurance, ask for the exact npm package version, a link to its release tarball, or a short audit of the package source before installing.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📸 Clawdis
Binsgram

Install

Install gram (npm)
Bins: gram
npm i -g @cyberdrk/gram
latestvk97f7f7rmnerf88qss0dn78rzn7zxdxs
3.1kdownloads
5stars
1versions
Updated 1h ago
v1.0.0
MIT-0
@arein
latest
Download

gram 📸

Instagram CLI using REST/GraphQL API + cookie auth.

Install

# npm/pnpm/bun
npm install -g @cyberdrk/gram

# One-shot (no install)
bunx @cyberdrk/gram whoami

Authentication

gram uses cookie-based auth from your Instagram web session.

Use --session-id, --csrf-token, and --ds-user-id to pass cookies directly, or --cookie-source for browser cookies.

Run gram check to see which source is active. For Arc/Brave, use --chrome-profile-dir <path>.

Commands

Account & Auth

gram whoami                    # Show logged-in account
gram check                     # Show credential sources
gram query-ids --refresh       # Refresh GraphQL query ID cache

Reading Posts

gram post <shortcode-or-url>   # View a post
gram <shortcode-or-url>        # Shorthand for post
gram comments <shortcode> -n 20 # View comments on a post
gram likers <shortcode>        # View users who liked a post

Feeds

gram feed -n 20                # Home feed
gram explore -n 20             # Explore/discover feed

User Profiles

gram user <username>           # View user profile
gram user @instagram --json    # JSON output
gram posts <username> -n 20    # User's posts
gram following [username]      # Users someone follows (defaults to you)
gram followers [username]      # Someone's followers (defaults to you)

Search

gram search "query"            # Search users, hashtags, places
gram search "coffee" --type users
gram search "nyc" --type places
gram search "#photography" --type hashtags

Engagement Actions

gram like <shortcode>          # Like a post
gram unlike <shortcode>        # Unlike a post
gram save <shortcode>          # Save/bookmark a post
gram unsave <shortcode>        # Unsave a post
gram comment <shortcode> "nice!" # Comment on a post
gram follow <username>         # Follow a user
gram unfollow <username>       # Unfollow a user

Output Options

--json          # JSON output
--json-full     # JSON with raw API response in _raw field
--plain         # No emoji, no color (script-friendly)
--no-emoji      # Disable emoji
--no-color      # Disable ANSI colors (or set NO_COLOR=1)

Global Options

--session-id <token>           # Instagram sessionid cookie
--csrf-token <token>           # Instagram csrftoken cookie
--ds-user-id <id>              # Instagram ds_user_id cookie
--cookie-source <source>       # Cookie source for browser cookies (repeatable)
--chrome-profile <name>        # Chrome profile name
--chrome-profile-dir <path>    # Chrome/Chromium profile dir or cookie DB path
--firefox-profile <name>       # Firefox profile
--timeout <ms>                 # Request timeout
--cookie-timeout <ms>          # Cookie extraction timeout

Config File

~/.config/gram/config.json5 (global) or ./.gramrc.json5 (project):

{
  cookieSource: ["safari", "chrome"],
  chromeProfile: "Profile 1",
  timeoutMs: 60000
}

Environment variables: GRAM_TIMEOUT_MS, GRAM_COOKIE_TIMEOUT_MS

Troubleshooting

Query IDs stale (404 errors)

gram query-ids --refresh

Cookie extraction fails

  • Check browser is logged into Instagram
  • Try different --cookie-source
  • For Arc/Brave: use --chrome-profile-dir
  • Provide cookies manually: --session-id, --csrf-token, --ds-user-id

User-agent mismatch errors

  • The CLI uses desktop user-agent by default
  • If your session was created on mobile, it may fail
  • Create a new session by logging in via desktop browser

TL;DR: View feeds, profiles, search, and engage with Instagram via CLI. 📸

Comments

Loading comments...