Back to skill

Security audit

golden-rule

Security checks across malware telemetry and agentic risk

Overview

This skill openly automates Instagram replies and DMs, but it also runs a secondary OpenClaw notification command and lacks safeguards for account-impacting automation.

Install only if you intentionally want an Instagram business account bot to send DMs and public replies automatically. Before running it, verify the post ID, keyword, DM text, duration, and token permissions, and consider removing or disabling the OpenClaw notification command because it sends an extra, misleading status message outside Instagram.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
# 3. Notify Neo (OpenClaw)
                    try:
                        os.system(f"openclaw message send --target webchat --message '🚨 SUCCESS! I just sent the Mock Trading DM to an Instagram user who commented \"BOT\".'")
                    except:
                        pass
Confidence
94% confidence
Finding
os.system(f"openclaw message send --target webchat --message '🚨 SUCCESS! I just sent the Mock Trading DM to an Instagram user who commented \"BOT\".'")

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill invokes code with environment, network, and shell capabilities but does not declare those permissions, which undermines transparency and review controls. In this context, the undeclared shell/network access is more dangerous because the skill automates outbound messaging and can access tokens from the environment, increasing the chance of unreviewed external actions or data exposure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose says the skill monitors comments and sends replies/DMs, but it also performs additional behavior by sending an external notification via the openclaw CLI and using broader Meta messaging functionality than clearly disclosed. Hidden or under-disclosed actions are dangerous because users and reviewers cannot accurately assess what data leaves the system or what actions are taken on their behalf.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill performs an unrelated local CLI action to notify OpenClaw/webchat, which is not necessary for Instagram monitoring, replying, or DMing. Hidden out-of-band actions are dangerous because they can leak activity metadata, trigger unauthorized workflows, or serve as a foothold for broader local system interaction.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The extra webchat notification behavior exceeds the manifest description, so the script does more than a user would reasonably expect from the stated skill purpose. This mismatch undermines trust and can create stealthy data disclosure or automation side effects in the local environment.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The hardcoded OpenClaw message claims a specific DM content and keyword regardless of the actual runtime arguments, creating misleading audit trails and inaccurate downstream notifications. False or contradictory status messages are dangerous because they impair monitoring, incident review, and user understanding of what the automation actually did.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The invocation guidance is broad enough that the skill may be triggered for common Instagram monitoring requests without sufficient user intent verification. In this context, that is risky because invocation leads to automated public replies and DMs, creating unauthorized or surprising actions on the user's account.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill description does not clearly warn that it will post public replies and send direct messages on the user's behalf. That omission is dangerous here because these are external, user-visible actions that can affect reputation, violate platform expectations, or trigger abuse complaints if users do not fully understand the automation.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The script automatically sends private DMs and public replies based solely on matching comments, without an explicit confirmation or safety gate. In this context, the skill is built for mass engagement automation, so unintended triggers can cause spammy or policy-violating actions from the user's account at scale.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Executing an undocumented subprocess via os.system introduces a local side effect that users are not warned about. In a skill that is supposed to automate Instagram engagement, hidden command execution materially increases risk because it broadens behavior beyond network API calls into host-level actions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.