Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Instagram Downloader
v1.0.1交互式下载 Instagram 用户内容(帖子/Reels/头像)。首次使用时会依次询问用户名、下载目录、Cookie路径、代理地址。
⭐ 0· 82·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill's name and description match the instructions: it asks for username, download path, cookie file and proxy and runs gallery-dl. Minor inconsistency: SKILL.md expects gallery-dl (and optionally yt-dlp) to be available, but the registry metadata lists no required binaries — the runtime will fail or produce confusing errors if those tools are not installed.
Instruction Scope
Instructions stay within the stated purpose: collect parameters and run gallery-dl with user-supplied cookie file and proxy. The skill also gives methods to obtain Netscape-format cookies (including using yt-dlp or copying sessionid from browser). These instruct the user to surface sensitive session tokens, which is functionally necessary but privacy-sensitive.
Install Mechanism
This is an instruction-only skill with no install spec or code files — lowest install risk. Nothing is downloaded or written by the skill itself according to the manifest.
Credentials
No environment variables or credentials are requested, which is consistent. However, the skill explicitly asks for a cookie file (containing sessionid and csrftoken) or for the user to export sessionid values — these are effectively account credentials and should be treated as sensitive. Requesting them is proportionate to the described functionality but presents privacy/security risk if mishandled.
Persistence & Privilege
always is false and there is no install-time persistence or modification of other skills/config. The skill will run commands when invoked; autonomous invocation is allowed by platform default but is not combined with other concerning privileges here.
Assessment
This instruction-only skill is coherent for downloading Instagram content, but take these precautions before installing or running it: 1) Ensure gallery-dl (and yt-dlp if you plan to use the cookie-export method) are installed on the host — the skill expects those binaries but does not declare them. 2) The cookie file (sessionid and csrftoken) grants access to your Instagram session; never paste raw session tokens into chat or share them with untrusted parties. Prefer pointing the agent to a local cookie file path rather than typing token values. 3) Review the exact gallery-dl command the agent will run before execution (especially any --no-check-certificate advice). 4) If possible, use a throwaway/limited Instagram account for bulk downloads. 5) If you do not trust the environment or the skill author, do not provide session cookies or run the command. If you want a more conservative setup, install and run gallery-dl yourself locally following the skill's instructions rather than letting the agent execute commands.Like a lobster shell, security has layers — review code before you run it.
latestvk973cgrxf1nghgq3jyeq75mdjs83vyty
License
MIT-0
Free to use, modify, and redistribute. No attribution required.