Is arein/gram safe?

https://github.com/openclaw/skills/tree/main/skills/arein/gram

67
CAUTION

The gram skill is a documentation-only file with no prompt injection or hidden instructions, but it installs @cyberdrk/gram — an npm package from an unverified publisher that by design extracts browser cookie databases and makes outbound API calls. The primary risks are: (1) the unverified npm package receiving and potentially exfiltrating extracted browser credentials, including Instagram session tokens sufficient for full account takeover; and (2) the agent being able to autonomously perform irreversible social media actions (follow, comment, like) without per-action user confirmation. The clone phase was clean with no unexpected network activity or filesystem changes outside the skill directory.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 42/100 · 25%
Code Execution 52/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 38/100 · 5%

Findings (5)

HIGH Browser cookie database extraction exposes all stored credentials -35

The skill's authentication design requires the gram binary to read Chrome, Firefox, Safari, Arc, and Brave cookie SQLite databases. These databases contain credentials for every site the user is logged into, not just Instagram. The binary performing this read is from an unverified npm publisher (cyberdrk).

HIGH Global npm install of unverified @cyberdrk/gram package -35

Installation requires npm install -g @cyberdrk/gram from the 'cyberdrk' npm namespace. This publisher is unverified and has no established trust record. The package could contain malicious preinstall/postinstall scripts. This audit did not execute npm install so no install-time code execution was observed, but deployment risk is real.

HIGH Unconfirmed autonomous social media engagement actions -30

The skill enables an agent to follow, unfollow, like, comment, and save on Instagram. These actions are visible to third parties and potentially irreversible. No confirmation flow is specified in SKILL.md, meaning an agent with this skill could perform mass social actions without per-action user approval.

MEDIUM Instagram session tokens transit unverified binary -15

sessionid, csrftoken, and ds_user_id are full account takeover credentials. All gram commands pass these through the @cyberdrk/gram binary which makes outbound HTTPS connections. Exfiltration would be indistinguishable from normal Instagram API traffic.

LOW Social engagement actions lack explicit user confirmation requirement -8

SKILL.md does not instruct the agent to confirm destructive or visible actions before executing. An agent could invoke follow, comment, or like commands autonomously in response to broad user intent.