Back to skill

Security audit

Instagram Reel Extractor

Security checks across malware telemetry and agentic risk

Overview

This skill openly reads an already-open Instagram DM tab to collect reel links into a local CSV, which is sensitive but matches its stated purpose.

Install only if you are comfortable letting the agent inspect your logged-in Instagram DMs. Check where instagram_reels.csv is written, avoid running it on conversations you do not want processed, and delete the CSV when it is no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to extract Instagram DM content metadata and persist it to a local CSV file without any explicit user consent flow, disclosure of retention, or data-minimization controls. Because DMs are private communications, silently copying sender identifiers and reel links to local storage creates a privacy and compliance risk, especially on shared machines or in environments with weak file access controls.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.