instagram-pipeline
Audited by Socket on Feb 28, 2026
1 alert found:
SecurityFunctionally, the package does what it claims: it uses Chrome session cookies to authenticate to Instagram, fetches saved post metadata and CDN URLs, downloads media, and runs local transcription/OCR to populate extracted_text fields. I found no explicit code in the provided fragment that forwards cookies or extracted data to attacker-controlled domains or contains backdoor commands. However, the design requires reading raw browser session cookies (a sensitive capability) and often asks for broad OS permissions (macOS Full Disk Access). Combined with platform-native model dependencies (likely downloaded at install/runtime) and third-party distribution, this creates a moderate supply-chain and privilege risk: if any bundled script or transitive native/model dependency is compromised, an attacker could access many local secrets and exfiltrate them. Operators should verify sources, minimize granted privileges, pin/verify external binaries and models, and monitor network activity during initial runs.