instagram-extract
Warn
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions recommend using a Python one-liner to append JSON records to a file (
kb/_media_agent_inbox/ingest.jsonl). If the agent implements this by directly inserting social media content (such as post titles or summaries) into the command string, it creates a vulnerability where malicious data could execute arbitrary code on the host system. - [DATA_EXFILTRATION]: The skill utilizes the browser tool with the
profile="chrome"parameter to access and extract data from the user's authenticated sessions on Instagram, LinkedIn, and Threads. This extracted information is subsequently moved to local files and an external service (Convex via prompt-kb), which constitutes a broad data access and movement surface for sensitive personal information. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted text and media from social media posts.
- Ingestion points: Social media captions, carousel alt-text, and LinkedIn post content obtained via Browser Relay.
- Boundary markers: There are no instructions or delimiters provided to help the agent distinguish between its own operational instructions and potential commands embedded within the extracted social media content.
- Capability inventory: The skill can write to the local file system (
kb/), call theprompt-kbtool, and is encouraged to execute shell commands via Python. - Sanitization: The instructions do not include requirements for sanitizing or validating the extracted content before it is stored or used to generate repurposing content.
Audit Metadata