instagram-hikerapi

No clear malicious payload is evident from this fragment (it primarily downloads media via a self-hosted service and optionally transcribes it). The dominant security concerns are supply-chain/automation risks: untrusted network-response fields (DL_URL, especially FILENAME) are interpolated into ssh-executed shell commands and filesystem paths without strong sanitization/escaping, enabling potential command injection and/or path traversal/unsafe overwrites if the upstream service or returned values are attacker-influenced. The API key is also passed in a command string (logging/process exposure risk). WHISPER_SCRIPT provides an additional code-execution surface.

SUSPICIOUS: the skill’s overall purpose is coherent, but its footprint is broad and sensitive. It reads raw secret files, handles Instagram credentials/cookies, deploys session material to a remote server, and uses an endpoint choice that is not cleanly aligned with the publisher’s obvious official docs branding. This looks more like a high-risk third-party integration than overt malware.

This module is security-sensitive authentication automation that (a) uses stored passwords and a stored TOTP secret to log into Instagram via CDP, (b) extracts authenticated session cookies, (c) persists them to local disk, and (d) deploys them to a server for reuse by another system; it also documents manual persistence of raw auth cookies for YouTube/Twitter. While it does not clearly show stealth/exfiltration malware behavior in the provided fragment, the design directly creates and redistributes high-value authentication artifacts, making it a strong account/session compromise risk if secrets are mishandled or the workflow is repurposed. Treat as high-risk operational code requiring strict access controls, encryption/at-rest protections for secrets, auditing of the deploy script, and least-privilege handling.