Back to skill

Security audit

Maxhub Instagram

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed read-only Instagram analytics tool, but it warrants Review because it enables broad third-party social-data collection and optional credential/session transfer.

Install only if you are comfortable sending Instagram targets, searches, URLs, location-related queries, and your MaxHub API key to https://www.aconfig.cn. Avoid providing Instagram cookies, session tokens, or production account credentials, and use the skill only for public or clearly authorized analysis with tight limits on follower, liker, comment, and bulk scraping workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (18)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill explicitly states that user-provided cookies and similar credentials may be transmitted to a third-party API, while also mentioning content categories such as private messages and contacts in the returned data warning. That creates a real privacy and credential-handling risk because the skill is marketed as read-only/public-or-authorized analytics, yet it normalizes sending highly sensitive session material and processing potentially non-public personal data through an external service.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The documentation promotes 'data scraping' and bulk collection workflows for competitor accounts and material-library building, which goes beyond minimal, user-scoped analytics and encourages large-scale harvesting of social data. Even if technically read-only, this expands privacy, compliance, and misuse risk by facilitating aggregation, retention, and downstream profiling of personal or user-generated content.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The documented `v3_get_recommended_reels` endpoint enables generic recommendation harvesting rather than servicing a user-specified public lookup target. That broadens the skill from read-only analysis into open-ended content collection, which can facilitate mass scraping, profiling, or trend harvesting beyond the user's explicit authorization scope described in the skill metadata.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The likes-list endpoint exposes identities of users who interacted with a post, which is more privacy-sensitive than returning aggregate like counts. The reference presents this as a normal retrieval path without requiring a privacy warning, authorization check, or minimization guidance, increasing the risk of collecting interpersonal engagement data for profiling or surveillance.

Natural-Language Policy Violations

Medium
Confidence
80% confidence
Finding
Tying translation output to the request account's language settings can produce silent, user-uncontrolled transformations of content. While lower severity than scraping issues, it can mislead users, create inconsistent results across accounts, and process content in a way the user did not explicitly select or understand.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The keyword "发现" is ambiguous in everyday Chinese and can easily match unrelated user intent, making accidental invocation more likely than a deliberate feature request. Because this skill can chain into additional Instagram data lookups, an incorrect initial match may propagate into broader unintended collection or analysis of social data.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The keyword "发现" is ambiguous in everyday Chinese and can easily match unrelated user intent, making accidental invocation more likely than a deliberate feature request. Because this skill can chain into additional Instagram data lookups, an incorrect initial match may propagate into broader unintended collection or analysis of social data.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases “看回复” and “评论回复” are short and generic, so the recipe may activate on ordinary conversational requests without sufficient confirmation of scope or authorization context. In a skill that accesses Instagram comments and replies, overly broad activation can cause unintended data retrieval and expansion beyond what the user explicitly requested.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The bulk-translation triggers “批量翻译” and “翻译所有评论” are ambiguous enough to match broad user language while initiating collection of up to 10 comment IDs and downstream translation processing. Because this recipe chains comment extraction with bulk translation, accidental activation can increase data handling and processing of user-generated content beyond the minimum necessary for the request.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrases for the comments recipe are broad enough that ordinary user requests like '看评论' could invoke comment harvesting without clear intent confirmation. In this skill context, the endpoint retrieves public social interaction data, so accidental activation could expose commenter data beyond what the user specifically asked for.

Vague Triggers

Medium
Confidence
82% confidence
Finding
Ambiguous triggers like '作者' or '博主主页' are underspecified and may cause the agent to pivot from a post to a user profile without sufficiently explicit user authorization. In a social-data lookup skill, this increases the risk of unintended profile enrichment and collection of related personal/public account information.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The likes lookup trigger is especially sensitive because phrases like '点赞列表' or '谁点赞' can easily map from casual conversational requests to fetching a list of user identities associated with engagement. In this skill's context, that creates a stronger privacy and misuse risk than ordinary content retrieval because it enumerates social graph/interaction data.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The recipe uses broad trigger phrases like '搜用户' and '找博主' that can match ordinary user requests without clearly signaling that third-party Instagram profile data will be queried. In this skill context, ambiguous activation is more dangerous because the downstream actions retrieve external social graph and profile information, increasing the chance of over-collection or unintended disclosure.

Vague Triggers

Low
Confidence
81% confidence
Finding
The trigger phrases around followers/social relationship queries are underspecified, which may cause the recipe to activate on vague requests like '粉丝列表' or '关注粉丝' without sufficient context. Although this is a recipe-definition issue rather than direct code execution, it is risky here because the endpoint can expose relationship data about third parties.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file presents recipes for looking up profiles, posts, highlights, stories, and followers, but does not include a user-facing warning that the skill retrieves third-party social-media and relationship data. In this context, the lack of transparency makes accidental privacy-invasive use more likely and weakens informed consent and safe-use expectations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document instructs agents to send user-provided search queries, usernames, coordinates, and derived identifiers to an external API endpoint, but it does not require an explicit user warning or consent check before transmitting potentially sensitive data. This is risky because search terms and location coordinates can reveal personal interests, intent, or physical whereabouts, and the skill context explicitly supports chained lookups that can expand a small initial query into broader profile or location data retrieval.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document explicitly enables collection of relationship data (followers/following), stories/highlights, account about information, and former usernames, but it does not require a user-facing privacy notice or a purpose/authorization check before retrieving this data. Even if the data is public or API-authorized, these endpoints facilitate profiling and aggregation of sensitive social graph and account-history information, which can be misused for surveillance, doxxing, or unauthorized intelligence gathering.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The file documents bearer-token authenticated requests to an external domain and instructs agents to send usernames, user IDs, and related account queries there, but it does not clearly disclose this external data transfer risk at the point of use. This can cause users or downstream agents to unknowingly transmit identifiers and query targets to a third-party service, creating privacy, compliance, and trust issues.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.