ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Instagram Publisher

v1.0.1

Publish posts to Instagram. Use when the user says 'post to Instagram', 'publish on IG', 'schedule Instagram post', 'create Instagram carousel', 'post a Reel...

0· 51·1 current·1 all-time
by@snoopyrain
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (publish to Instagram) match the declared requirement (an MCP Connector link to Boring) and the SKILL.md describes only publishing-related actions (list accounts, upload media, publish/schedule/cancel posts). The required config (MCP link containing an auth token) is consistent with a 3rd-party publishing integration.
Instruction Scope
SKILL.md only instructs connector actions (boring_list_accounts, boring_upload_file, boring_publish_post, etc.), requires media URLs or an upload step, and does not instruct the agent to read unrelated system files or environment variables. It does route media and publish operations through Boring's servers (re-hosting/upload), which is expected for this integration.
Install Mechanism
Instruction-only skill with no install spec and no code files—lowest-risk install surface. There is no download or package installation performed by the skill.
Credentials
The only required credential is the MCP Connector link (an embedded auth token). That is proportionate for a publisher skill, but the token appears to be long-lived (60 days) and grants publish permissions — a sensitive capability. No unrelated environment variables or secrets are requested.
Persistence & Privilege
Skill is not always-included and has no install-time persistence. It can be invoked autonomously (platform default), which combined with a publish-capable token means an agent could post if configured to do so; autonomous invocation itself is normal but worth awareness.
Assessment
This skill appears internally consistent, but take these precautions before installing: treat the MCP Connector link like a password and do not paste it in public chat; verify the Boring service (https://boring.aiagent-me.com) and the GitHub source if you need supply-chain confidence; prefer testing with a non-critical Instagram Business account first; understand the link grants publish rights (can create/schedule posts) and is long‑lived — revoke/regenerate it if you suspect compromise; and be aware that an autonomously-invoking agent combined with this token could publish without extra confirmation, so only enable autonomous actions if you trust the agent's rules.

Like a lobster shell, security has layers — review code before you run it.

latestvk976s9nn6pggsre1zzbagyapj983q75y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📸 Clawdis
ConfigMCP Connector link from boring.aiagent-me.com (contains embedded auth token)

Comments