Is kenleung1205/instagram-saver safe?

https://github.com/openclaw/skills/tree/main/skills/kenleung1205/instagram-saver

82
SAFE

This skill provides legitimate Instagram content downloading functionality using the Cobalt API service. While it requires shell command execution and sends user URLs to a third-party service, the behavior is transparent and serves the stated purpose.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (4)

MEDIUM Shell Command Execution Required -30

The skill instructs the agent to execute curl commands to make HTTP requests to external APIs. While constrained and for legitimate purposes, this requires shell access.

MEDIUM User URLs Sent to Third-Party Service -25

Instagram URLs provided by users are transmitted to the external Cobalt API service, potentially revealing user interests and browsing patterns to a third party.

LOW External API Integration -15

The skill references and instructs interaction with an external API endpoint, which could be a vector for data transmission outside the user's control.

LOW Third-Party Service Dependency -20

The skill's functionality depends entirely on the Cobalt API service, introducing privacy risks and potential service availability issues.