Is antoinedc/instagram-reels safe?

https://github.com/openclaw/skills/tree/main/skills/antoinedc/instagram-reels

90
SAFE

The instagram-reels skill is a documentation-only SKILL.md with no auto-executing code, no install hooks, and a clean installation footprint of exactly two expected files. The primary security surface is privacy-oriented: every reel processed by this skill uploads audio to Groq's cloud servers, and the documented cookie-based private reel access path exposes broad browser session credentials to the agent and yt-dlp subprocess. No prompt injection, canary violations, or malicious behavior were detected.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 92/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (6)

LOW Audio Content Uploaded to Third-Party Groq API -15

Every reel processed by this skill results in the audio being uploaded to Groq's cloud transcription service at api.groq.com. While this is the skill's stated purpose and the endpoint is legitimate, users should understand that reel audio (which may contain private conversations, proprietary content, or personally identifiable information) leaves their system and is processed by a third party. Groq's data retention and training policies apply.

LOW Browser Cookie File Exposed to Agent and Subprocess -7

The skill documents passing a full browser cookie export file to yt-dlp via --cookies flag to authenticate private reel downloads. Browser cookie exports contain session tokens for all authenticated sites in the browser, not just Instagram. Directing an agent to read and pass this file gives yt-dlp (and any agent tool tracing execution) access to a broad session credential bundle.

INFO Unencrypted Temporary Media Files Written to /tmp -8

The pipeline writes reel metadata, raw audio (m4a), and converted audio (mp3) to /tmp, a globally readable directory. On multi-user or containerised systems, co-located processes could read these files between creation and cleanup. The skill documents a cleanup command but does not enforce it programmatically.

INFO Clean Install — Only Expected Files Added 0

The installation cloned only the skill's two declared files with no executables, configuration changes, or unexpected artifacts. The git clone contacted only github.com over TLS on port 443, which is the expected source repository. No new persistent connections or listening services were introduced.

INFO Canary File Reads Attributed to Audit Harness, Not Skill 0

Canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were opened read-only twice: once at audit timestamp 1771734747 (5 seconds before the git clone began) and once at 1771734766 (5 seconds after install completed). Both access windows are CLOSE_NOWRITE and align with the audit harness's pre-install baseline capture and post-install integrity verification phases. The skill itself (documentation only) has no mechanism to trigger these reads. All canary files are confirmed intact.

LOW Broad Media Surveillance Risk When Combined with Other Skills -20

While individually benign, this skill combined with a browser-automation or file-discovery skill could enable systematic harvesting and transcription of video content — including private or sensitive recordings. The cookie-based private reel access path in particular means an agent with browsing capabilities could transcribe content the user never intended to expose. The risk is contextual and attacker-controlled rather than inherent to the skill.