Openclaw Skills
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill's Instagram-content workflow is mostly disclosed and purpose-aligned, but one helper script unsafely embeds inputs into executable Python, which could let crafted input run local code.
Review or fix the shell/Python helper scripts before using this on untrusted media or generated plans. If you proceed, run it in a contained working directory, use previews/dry-run first, verify the Instagram account and caption, and be aware that transcription sends episode audio to OpenAI.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed input path/content plan could cause the helper to run commands on the user's machine when extracting frames.
The script interpolates shell variables directly into a Python program passed to python3 -c. Timestamp JSON and file paths are supplied at runtime, so crafted values containing quotes or Python syntax could break out of the intended string and execute unintended local code.
python3 -c "... timestamps = json.loads('''$TIMESTAMPS_JSON''')\nvideo = '$VIDEO_FILE'\nframes_dir = '$FRAMES_DIR' ..."Do not embed runtime data into Python source strings. Pass JSON and paths through files, stdin, argv, or environment variables, then parse them safely; also validate/sanitize timestamp objects before running ffmpeg.
If approved or run with the posting flag, the skill can publish content to the logged-in Instagram account.
The skill intentionally controls a browser to upload media and publish Instagram posts/Reels. This is disclosed and approval-gated, but it is still high-impact account automation.
Uses `openclaw browser` to: ... Upload the staged media ... Enter the caption text ... Screenshot the preview for final confirmation ... Only post after explicit approval
Use dry-run/preview first, review the exact media and caption, and only approve posting when the target account and content are correct.
Episode audio is sent to OpenAI for transcription, and the logged-in Instagram account is used to create drafts or posts.
The skill uses an OpenAI API key for transcription and a logged-in Instagram browser session for posting. These credentials are purpose-aligned and disclosed, but the registry metadata lists no required credentials or env vars.
`OPENAI_API_KEY` for `scripts/transcribe.sh` ... `openclaw browser` for the Instagram draft flow ... an Instagram session already logged into the OpenClaw browser profile
Use a dedicated or least-privilege account/session where possible, confirm you are comfortable sending the episode audio to OpenAI, and set API keys only in the intended shell environment.
Running npm install may execute dependency install logic or fetch/build native components.
The optional slide-generation dependency is pinned in the lockfile but uses a native install/prebuild path. The README makes npm install user-directed, so this is a supply-chain notice rather than hidden installation behavior.
"node_modules/canvas": { "version": "3.2.3", ... "hasInstallScript": true, ... "prebuild-install": "^7.1.3" }Install dependencies only from a trusted network/environment, keep the lockfile intact, and avoid running npm install if you do not need local carousel rendering.