Post images to Instagram automatically via Telegram. Generates images with WaveSpeed or uses your own. Bypasses Instagram bot detection using residential pro...
Security Analysis
medium confidenceThe skill's requests and code are consistent with an Instagram autoposter: it legitimately asks for Instagram credentials, uses a residential browser skill, and saves a local session; nothing in the provided files indicates clear misdirection or exfiltration.
Name/description (Instagram autoposter) match the declared requirements: IG_USERNAME/IG_PASSWORD, dependency on human-browser (residential proxy). The included scripts and README show code paths needed to log in and post images; these requirements are proportionate to the stated purpose.
SKILL.md and scripts instruct the agent to download images (HTTP/HTTPS), launch the human-browser skill, log in, and interact with Instagram UI. This stays within the posting scope, but the skill will download arbitrary URLs (user-supplied) and will read/write a session file (~/.openclaw/ig-session.json). If an agent or user supplies an internal URL, the skill could retrieve and upload that content — expected for a poster but worth noting.
No install spec (instruction-only with shipped script) — lowest install risk. The code requires the human-browser skill to exist at a relative path; that dependency is declared. Nothing is downloaded from arbitrary URLs during install.
Only IG_USERNAME and IG_PASSWORD are required (plus optional IG_SESSION_PATH), which is appropriate for logging in. The skill saves session cookies locally; environment variables or config entries could store credentials in plaintext — a user-consent/secret-management consideration but proportionate to purpose.
always:false (normal). The skill saves session cookies to ~/.openclaw/ig-session.json so subsequent runs avoid re-login — expected for convenience. This is a persistent file in the user's home directory but does not modify other skills or system-wide settings.
Guidance
This skill appears coherent for automating Instagram posts, but review these before installing: - Trust the human-browser service: it provides the residential proxy and fingerprinting; the skill relies on that external provider to bypass bot detection. - Protect your Instagram credentials: the skill requires IG_USERNAME/IG_PASSWORD and may be stored in your OpenClaw config or environment; prefer using a saved session file if you want to avoid putting passwords in config. Rotate credentials if you stop using the skill. - Be careful with image URLs: the script will download any user-supplied HTTPS URL. Do not instruct the agent to fetch internal or sensitive URLs that you don't want posted to Instagram. - Verify the human-browser dependency path: the script requires a local human-browser skill entry (relative path). Ensure that dependency is the official one you intend to use. - Because the code sample was truncated in the listing, consider reviewing the full scripts/post.js file in your environment before trusting it with credentials; if you need higher assurance, run it in an isolated environment or inspect the human-browser integration points.
Latest Release
v1.0.0
Initial release: post images to Instagram from your AI agent using residential proxy
More by @al1enjesus
Published by @al1enjesus on ClawHub
