Skillv1.0.0

ClawScan security

golden-rule · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 14, 2026, 7:49 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated Instagram automation purpose, but there are multiple coherence and safety gaps (missing declared env/deps, undeclared CLI usage, and a prompt-injection signal) that warrant caution before installing.
Guidance: This skill implements the claimed Instagram automation, but it contains several coherence issues you should resolve before using it: 1) The package metadata does not declare required environment variables (IG_ACCESS_TOKEN, IG_ACCOUNT_ID) or the Python dependency 'requests' even though the script needs them — treat missing declarations as a sign you must manually review/prepare the environment. 2) The script calls the local 'openclaw' CLI to send notifications; ensure that CLI is present and you trust it, or remove that call if you don't want outbound notifications. 3) There is a prompt-injection indicator (unicode-control-chars) in SKILL.md — inspect the file for hidden characters or manipulative content. 4) Use a dedicated test Instagram Business account and a token with the minimum scope required, and do not run this against accounts you care about until you’ve tested it. 5) Consider adding an explicit install step (pip install requests) in a controlled virtualenv, verify the script source line-by-line, and confirm compliance with Instagram/META terms (automated engagement can violate platform policies). If you cannot validate these points, do not install or run the skill.
Findings: [unicode-control-chars] unexpected: The SKILL.md was flagged for unicode control characters/prompt-injection patterns. This is not necessary for an Instagram automation guide and could indicate an attempt to manipulate prompt processing or obfuscate content. Review SKILL.md for hidden characters before trusting or running it.

Review Dimensions

Purpose & Capability: noteThe script and SKILL.md implement an Instagram comment->DM automation which aligns with the described 'Golden Hour' engagement hack. However the registry metadata claims no required environment variables or binaries while the script explicitly needs IG_ACCESS_TOKEN and IG_ACCOUNT_ID and the SKILL.md suggests using a .env — this mismatch is unexpected and reduces trust.
Instruction Scope: concernSKILL.md instructs the agent/operator to run the provided script and set IG_ACCESS_TOKEN and IG_ACCOUNT_ID. It also instructs sending a notification back to OpenClaw via the 'openclaw message' CLI. The instructions do not overreach into unrelated system areas, but they implicitly require a local CLI ('openclaw') and posting to an external service (OpenClaw webchat) which are not declared in the skill metadata.
Install Mechanism: noteThis is instruction-only (no install spec) but includes a Python script that declares a dependency on 'requests' in a top comment. The registry provides no install/dependency information, which is inconsistent: the code needs the requests package but there is no install step declared for ensuring that dependency is present.
Credentials: concernThe script legitimately requires IG_ACCESS_TOKEN and IG_ACCOUNT_ID to use the Graph API, which is proportionate to the stated purpose. However the registry metadata lists no required env vars while the SKILL.md and script both require secrets — this mismatch is a red flag. The script also invokes the 'openclaw' CLI (via os.system) which implies another implicit required tool/credential not declared.
Persistence & Privilege: okThe skill does not request persistent or elevated platform privileges (always:false) and is user-invocable. It runs as a short-lived script for a duration parameter. The only extra privilege is that it calls an external CLI to notify OpenClaw, which could relay runtime events; this is noted but not by itself a high privilege request.