Instapaper
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: instapaper Version: 0.2.9 The skill bundle provides instructions and examples for installing and using the `instapaper-cli` tool. All commands and documentation are directly related to the stated purpose of managing Instapaper bookmarks. While installation instructions involve fetching and executing code from a remote GitHub repository (`go install github.com/vburojevic/instapaper-cli/cmd/ip@latest`), this is a standard method for installing CLI tools and is transparently presented in `SKILL.md`. There is no evidence of intentional harmful behavior, data exfiltration, unauthorized execution, persistence, or prompt injection attempts against the agent to perform actions beyond the skill's stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using these commands could archive, move, import, delete, or otherwise change Instapaper bookmarks, folders, or highlights.
The skill documents destructive and bulk account operations. They are aligned with the Instapaper CLI purpose and include explicit flags/IDs, but they can still change or delete user account data if used incorrectly.
`ip delete 123456 --yes-really-delete` ... `ip archive --ids 1,2,3` ... `printf "10\n11\n12\n" | ip unarchive --stdin`
Use dry-run or idempotent modes where available, verify IDs and input files before bulk actions, and require clear user approval before delete/import/folder-change operations.
Providing credentials lets the CLI access and modify the user's Instapaper account according to the commands run.
The skill requires Instapaper API/login credentials to perform its intended function. This is expected, and the artifact gives password-handling guidance, but the registry metadata does not declare a credential contract.
Ensure `INSTAPAPER_CONSUMER_KEY` and `INSTAPAPER_CONSUMER_SECRET` are set or passed during login. Prefer `--password-stdin` for auth; never store the password.
Provide credentials only to a trusted installed CLI, prefer secure stdin or environment handling, and avoid exposing credentials in shell history, logs, or shared transcripts.
The behavior and security of account operations depend on the externally installed `ip` CLI version.
The skill directs users to install an external CLI, including an unpinned `@latest` Go install and a third-party Homebrew tap. This is central to the skill's purpose, but users should verify the source and version.
Go install: `go install github.com/vburojevic/instapaper-cli/cmd/ip@latest` ... Homebrew: `brew tap vburojevic/tap && brew install instapaper-cli`
Install from a trusted source, consider pinning or reviewing a specific release, and verify the repository before providing Instapaper credentials.