instagram-publisher
Pass
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill uploads local images to 'https://catbox.moe/user/api.php'. This is used to generate temporary public URLs required by the Instagram Graph API to fetch and process the media containers.
- [COMMAND_EXECUTION]: The skill executes a Node.js script ('scripts/publish.js') using 'node --env-file=.env'. This script handles the image upload, API interaction with Facebook/Instagram Graph API, and carousel publishing logic.
- [DATA_EXPOSURE]: Local image files are read from the file system and sent to a third-party service (catbox.moe). Although intended for the skill's primary purpose of publishing, this involves transferring local data to an external, non-vendor-controlled endpoint.
- [CREDENTIALS_SAFE]: The skill correctly instructs users to manage sensitive credentials like 'INSTAGRAM_ACCESS_TOKEN' and 'INSTAGRAM_USER_ID' via a '.env' file, which is a standard security best practice for local development and script execution.
Audit Metadata