ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Instagram Analyzer Wulongcha

v1.0.0

Analyze Instagram profiles and posts with detailed engagement metrics, view-to-follower ratios, and Reels-focused analytics including JSON/CSV export.

0· 16·1 current·1 all-time
by@wulooongcha
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the code and SKILL.md: it implements Instagram post/profile analysis using Playwright. However, SKILL.md metadata lists required binaries (python3, chromium) while the registry metadata lists none — an inconsistency. The code requires Playwright/Chromium (via requirements.txt and runtime comments), which is expected for this purpose but should be declared.
!
Instruction Scope
Runtime instructions and SKILL.md ask users to configure Instagram credentials in a .env and to run CLI-like commands; the code performs browser automation (page.goto, page.content, selectors) and writes local files. The SKILL.md suggests login is needed for some metrics but the repository does not declare or document how credentials are supplied securely, nor are credentials listed in requires.env. The skill also suggests using multiple accounts for rate-limiting which implies asking for additional credentials — this broadens scope without justification.
Install Mechanism
There is no explicit install spec in the registry (instruction-only), which limits automatic installation risk. But requirements.txt and SKILL.md indicate Playwright and Chromium must be installed (including running 'playwright install chromium'). This requires downloading browsers at runtime (standard for Playwright) — not inherently malicious but higher friction and a network download that users should expect.
!
Credentials
The skill requests credentials in SKILL.md/config (instagram.username/password in config/analyzer_config.json and a suggestion to use .env), but the registry manifest declares no required env vars or primary credential. This mismatch is important: credentials may be needed for functionality but are not declared. The code also reads INSTAGRAM_ANALYZER_CONFIG env var if set. Requesting user Instagram credentials is proportionate to a scraper, but the skill doesn't explicitly declare or explain secure handling, storage, or transmission of those credentials.
Persistence & Privilege
The skill is not forced-always, is user-invocable, and does not request system-wide privileges. It writes outputs to its own data/ directories; no evidence it modifies other skills or global agent settings.
What to consider before installing
This repository looks like a local Playwright-based Instagram scraper and is internally coherent for that purpose, but there are a few red flags to review before you run it: - Playwright/Chromium: The tool requires Playwright and a Chromium browser (requirements.txt and SKILL.md instruct installing them). Expect the installer to download browser binaries. If you have network or security policies, run the install in a controlled environment. - Credentials: SKILL.md and config mention putting Instagram credentials in a .env or config file, but the registry manifest does not declare any required env vars. If you provide credentials, store them securely (not in shared repos) and prefer a throwaway or read-only account. Confirm how the script uses/stores credentials and that it does not send them to any external server. - Data handling: The tool writes analysis to data/ directories. Confirm the output path and remove sensitive data after use if needed. - Legal and policy: Automated scraping of Instagram can violate terms of service. Ensure you have permission to access accounts and data you analyze. - Missing/placeholder behavior: parts of the script are simplified or placeholder (e.g., get_follower_count returns 0). Ask the author for clarification on how follower counts and logged-in scraping are implemented. What would increase confidence: clear declaration of required env vars (and how credentials are used/kept local), documented login flow and secure credential handling, and confirmation there's no network traffic to non-Instagram/standard endpoints. If you can't get those answers, run the tool in an isolated VM/container and avoid using primary/personal Instagram credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk973ty2qmvnbw9h3s7j78j8e91851twc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments