Oathe Security Badge

Is adamanz/instagram-skill safe?

https://github.com/adamanz/instagram-skill

91
SAFE

This Instagram video downloading skill appears to be legitimate and safe. It uses standard tools (yt-dlp, ffmpeg) to download and process Instagram videos, with proper input sanitization and no evidence of malicious behavior. All canary files remained intact and no sensitive data access was detected from the skill code.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (3)

MEDIUM External Program Dependencies -15

The skill executes external programs (yt-dlp, ffmpeg, ffprobe) via subprocess calls. While the input sanitization appears proper, these external dependencies could potentially have vulnerabilities.

LOW File System Writes -10

The skill downloads video files to the local filesystem at ~/clawd/media/videos/instagram/. This is expected behavior but involves writing arbitrary content from external sources.

LOW Dependency on External Services -15

The skill relies on yt-dlp's ability to access Instagram content, which could change or break. Also potential for downloading copyrighted material, though this is a legal rather than security concern.