ClawHub

Instagram Analyzer

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Instagram scraping and analytics skill with some hardening and privacy issues, but the artifacts do not show hidden, destructive, or deceptive behavior.

Install only if you are comfortable with browser automation against Instagram and local retention of scraped results. Use normal Instagram usernames and intended Instagram post/Reel URLs, avoid storing real account credentials in this skill unless the implementation is improved, keep generated data out of shared folders or source control, and prefer pinned dependency versions before production use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (8)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly suggests configuring Instagram credentials in a .env file and stores scraped profile/post analytics to local files, but it does not warn users about credential sensitivity, privacy implications of collecting third-party social-media data, or retention of locally saved outputs. This can lead to accidental credential exposure, unauthorized sharing of scraped data, or unsafe handling of potentially sensitive analytics artifacts.

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Instagram Analyzer Dependencies
playwright>=1.40.0
beautifulsoup4>=4.12.0
lxml>=4.9.0
requests>=2.31.0
Confidence
90% confidence
Finding
playwright>=1.40.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Instagram Analyzer Dependencies
playwright>=1.40.0
beautifulsoup4>=4.12.0
lxml>=4.9.0
requests>=2.31.0
python-dateutil>=2.8.0
Confidence
90% confidence
Finding
beautifulsoup4>=4.12.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Instagram Analyzer Dependencies
playwright>=1.40.0
beautifulsoup4>=4.12.0
lxml>=4.9.0
requests>=2.31.0
python-dateutil>=2.8.0
Confidence
95% confidence
Finding
lxml>=4.9.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
playwright>=1.40.0
beautifulsoup4>=4.12.0
lxml>=4.9.0
requests>=2.31.0
python-dateutil>=2.8.0
Confidence
95% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
beautifulsoup4>=4.12.0
lxml>=4.9.0
requests>=2.31.0
python-dateutil>=2.8.0
Confidence
88% confidence
Finding
python-dateutil>=2.8.0

Known Vulnerable Dependency: lxml — 10 advisory(ies): CVE-2021-43818 (lxml's HTML Cleaner allows crafted and SVG embedded scripts to pass through); CVE-2014-3146 (lxml Cross-site Scripting Via Control Characters); CVE-2021-28957 (lxml vulnerable to Cross-Site Scripting ) +7 more

High
Category
Supply Chain
Confidence
78% confidence
Finding
lxml

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
80% confidence
Finding
requests

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal