Skillv1.0.2

ClawScan security

Instagram Content Studio · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 25, 2026, 6:18 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions reasonably implement Instagram Graph API functionality, but there are coherence issues (registry metadata omits required credentials/install steps) and sensitive behaviors (writing tokens to .env, starting cloudflared tunnels to expose local files) that the user should understand before installing.
Guidance: What to check before installing: - Metadata mismatch: the registry entry claims no required env vars, but the skill requires INSTAGRAM_ACCESS_TOKEN and optionally FACEBOOK_USER_ACCESS_TOKEN / FACEBOOK_APP_ID / FACEBOOK_APP_SECRET. Treat the SKILL.md and scripts as authoritative. - Tokens: the scripts automatically refresh and overwrite values in a local .env file in plaintext. Do not keep secrets in a repository; use a dedicated .env and restrict filesystem access. Review _common.js (refreshIgToken/refreshFbToken) if you need to be certain how tokens are updated. - Local-file uploads: posting local images/videos starts a cloudflared Quick Tunnel that briefly exposes the given files to the public internet. Only provide files you are comfortable exposing and verify cloudflared is installed from an official source. - Autonomous invocation: platform default allows the agent to call the skill without an explicit user action. If you want manual approval before any publish or file-exposing action, disable autonomous invocation or require the agent to ask for confirmation. The SKILL.md's guidance to confirm captions/comments is not an enforced safeguard. - Review code and run in isolation: if you plan to use this, audit the provided scripts (especially _common.js and tunnel logic), run npm install in a sandbox or container, and consider limiting permissions by creating a dedicated Meta app with only the listed minimal permissions. - If unsure: do not supply production credentials. Test with a throwaway Instagram account and app first.

Review Dimensions

Purpose & Capability: concernThe scripts and SKILL.md clearly require an INSTAGRAM_ACCESS_TOKEN (and optionally FACEBOOK_USER_ACCESS_TOKEN, FACEBOOK_APP_ID/SECRET) and Node + cloudflared, which are appropriate for an Instagram management tool — but the registry metadata claims no required env vars/config paths. That metadata mismatch is an incoherence that could mislead users about what secrets and tooling this skill needs.
Instruction Scope: concernRuntime instructions and scripts instruct the agent to load and overwrite a local .env file, refresh and persist tokens, read local media files, and start a cloudflared tunnel that briefly exposes local files to the public internet. Those behaviors are within the stated goal (publishing local media) but elevate risk: token persistence and temporary public exposure of arbitrary local paths are sensitive operations and should be explicitly authorized by the user each time.
Install Mechanism: noteThere is no install spec in the registry (instruction-only), but the package includes Node scripts and package.json/package-lock.json; README instructs running npm install. Dependencies (dotenv, sharp) are reasonable for image/video handling. The missing install metadata is an inconsistency but not inherently malicious.
Credentials: concernThe env vars required by the code (INSTAGRAM_ACCESS_TOKEN, and optionally FACEBOOK_USER_ACCESS_TOKEN, FACEBOOK_APP_ID, FACEBOOK_APP_SECRET) are appropriate for Graph API operations. However the registry metadata omitted these requirements. The code persists refreshed tokens and Facebook user tokens back into the .env file in plaintext, and requires the app secret to perform FB token refresh — both are sensitive and warrant caution.
Persistence & Privilege: notealways:false and the skill confines changes to its own .env file; it does not request system-wide modifications. Still, the skill can be invoked autonomously (platform default) and when invoked it can read local files and start a cloudflared tunnel to publish them; combined, that increases potential impact if an agent acts without explicit confirmation.