Back to skill

Security audit

video

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it downloads Instagram Reels through a named third-party downloader and sends the resulting video through WhatsApp, with privacy caveats.

Install only if you are comfortable sharing Reel URLs with sssinstagram.com and sending the downloaded media through WhatsApp. Review where downloads are stored, use the cleanup script or delete files after use, and avoid private or sensitive links unless you trust those services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to fetch content from a third-party site, save it locally, and transmit the resulting media over WhatsApp without explicitly warning the user about those data flows. This can create privacy and consent issues because the reel URL and downloaded media are exposed to external services and persisted on disk, potentially beyond the immediate task.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script submits a user-provided Instagram Reel URL to sssinstagram.com, a third-party service, without any disclosure or consent mechanism in the code path. Even though the input is URL-validated, this still exposes user activity and requested content to an external party, which creates a real privacy and data-handling risk in a downloader skill.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/download_via_sss.mjs:16