ClawHub

Instagram Content Studio

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-built for Instagram management, but it needs review because it can post/comment, rewrite access tokens, and briefly expose selected local media files through a public tunnel.

Install only for an Instagram account and Meta app you are comfortable letting an agent operate. Use a dedicated .env file outside source control, avoid arbitrary --env paths, prefer public media URLs over local-file tunneling when possible, and confirm the exact files, captions, and comments before allowing publish or comment commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill invokes scripts that require environment-variable access and outbound network access, but these capabilities are not explicitly declared as permissions. This weakens reviewability and user consent because a caller may not realize the skill can read secrets from a .env file and communicate with external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The description frames the skill as routine Instagram management, but the documented behavior also refreshes tokens, overwrites credentials in plaintext, runs a local file server, and creates a public cloudflared tunnel for uploads. That mismatch is dangerous because users and reviewers may approve the skill for simple social-media actions without realizing it also performs credential mutation and temporary internet exposure of local files.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The code performs credential lifecycle management by refreshing Instagram and Facebook tokens and then persisting the new secrets back into the local .env file. While this may be intended for convenience, it expands the skill from API use into secret management and silent local credential mutation, increasing the blast radius if the skill is misused or the host is shared.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill reads arbitrary local media files and serves them over an internet-accessible Cloudflare tunnel so Instagram can fetch them. Even if intended to enable uploads, this exposes local file contents outside the host boundary and creates a public network surface that is broader than ordinary Instagram account management.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
Spawning cloudflared creates an outbound tunnel process that publishes a local HTTP server to the public internet. This is a powerful capability not inherent to comment/profile management, and if abused or misconfigured it can expose sensitive local content and bypass expected network controls.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger phrase 'Use when the user requests any Instagram-related task' is overly broad and can cause the skill to be invoked for vague Instagram queries that do not require account-modifying operations. In this skill's context, accidental invocation is more dangerous because the skill has posting, commenting, token-refresh, and local-file exposure capabilities.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The spec explicitly supports posting local files by exposing them through a cloudflared quick tunnel, but it does not warn that this creates a publicly reachable URL for local content during operation. In an agent context, this can unexpectedly expose sensitive local media or nearby-served files to third parties or logs, especially if the agent selects local paths autonomously.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The spec states that refreshed tokens are written back to the provided .env path, which means running the skill modifies credential files on disk. Without a prominent warning and consent model, an agent may overwrite secrets, rotate credentials unexpectedly, or write updated tokens into an unintended file path supplied via --env.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The local upload path automatically starts a public tunnel and makes local media retrievable from a public URL, but the code provides no explicit warning or confirmation at the point of exposure. This creates a consent and transparency issue because users may not realize their local files are briefly available on the public internet.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The Instagram token refresh path silently writes a new access token into the .env file, changing local secret storage without explicit disclosure. This is dangerous because it persists credentials in plaintext and may surprise operators who expected runtime-only token handling.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The Facebook token refresh function silently updates the local .env file with a new user access token. Persisting fresh credentials to disk without explicit disclosure increases the risk of secret leakage through filesystem access, backups, or source-control mistakes.

Credential Access

High
Category
Privilege Escalation
Content
name: instagram-api
description: Manage an Instagram account. View profile, list posts, publish images/carousels, publish videos/Reels, and read/write comments. Use when the user requests any Instagram-related task.
allowed-tools: Bash(node scripts/*)
compatibility: Requires node (v22+), npm, and cloudflared (for local file uploads). Requires env var INSTAGRAM_ACCESS_TOKEN in a .env file. Requires internet access to graph.instagram.com.
metadata:
  version: "1.0"
---
Confidence
94% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
// Update runtime
  process.env.INSTAGRAM_ACCESS_TOKEN = newToken;

  // Persist to .env file
  let envContent = fs.readFileSync(envPath, "utf-8");
  envContent = envContent.replace(
    /INSTAGRAM_ACCESS_TOKEN=.*/,
Confidence
89% confidence
Finding
.env

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal