Instagram Search — Search 400M+ Instagram posts, reels, and profiles. Find influencers, track hashtags, analyze engagement, and export data. No Instagram API or Meta developer account needed — works through Xpoz MCP.
Security Analysis
medium confidenceThe skill's behavior largely matches its description (it calls an Xpoz MCP via an mcporter CLI and delegates auth to an xpoz-setup skill), but there are small but meaningful inconsistencies (missing registry metadata about the xpoz-setup dependency and network use) and it installs an npm CLI binary — both warrant caution and verification before installing.
The described functionality (searching Instagram via Xpoz MCP) is coherent with requiring a CLI (mcporter) and an Xpoz account; SKILL.md explicitly lists a dependency on xpoz-setup and network access to mcp.xpoz.ai. However, the registry metadata at the top did not list the xpoz-setup skill or the network host, which is an inconsistency that should be clarified.
Runtime instructions are narrowly scoped: they call the mcporter CLI (e.g., mcporter call xpoz.*) and instruct the user to run the xpoz-setup skill for OAuth. The SKILL.md does not instruct the agent to read unrelated files, environment variables, or system paths.
The install spec installs an npm package ('mcporter') which will create a binary on disk. Installing CLI tools via npm is common but higher-risk than instruction-only skills because it writes and executes code; verify the package source, publisher, and integrity before installing.
Top-level registry metadata lists no required env vars or credentials, but SKILL.md states auth is handled via the xpoz-setup skill (OAuth 2.1) and that a Xpoz account is required. The credential requirement is present in the SKILL.md but not surfaced at the registry level — this mismatch should be remedied so users know an external account and OAuth flow will be used.
The skill does not request always-on presence and does not claim to modify other skills or system-wide settings. It will install a CLI binary (mcporter) but otherwise doesn't request elevated privileges or permanent agent-level presence.
Guidance
What to check before installing: - Confirm the xpoz-setup skill: inspect its SKILL.md and ensure it performs an OAuth flow and does not exfiltrate other secrets. - Verify the mcporter npm package: check the npm registry publisher, package repository, recent commits, and popularity. Prefer packages from an official project org or GitHub repo. Consider installing in a sandbox first. - Network endpoint: SKILL.md references mcp.xpoz.ai; validate that domain and review Xpoz's privacy/terms to understand what data will be sent and stored. - Expect a binary (mcporter) to be written to your PATH; if you cannot trust the package, do not install it globally. - OAuth scopes: when using xpoz-setup, review the OAuth scopes requested and avoid granting excessive account access. - If you have low tolerance for third-party indexing/scraping, audit exports and CSV URLs before downloading, and monitor network activity to mcp.xpoz.ai. Because of the metadata mismatch (registry did not list the xpoz-setup dependency or network host), proceed only after verifying those pieces; if you cannot inspect xpoz-setup or mcporter, treat the skill as higher risk.
Latest Release
v1.1.1
Added setup section
More by @atyachin
Published by @atyachin on ClawHub
