instagram-profile-meta

Warn

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The instruction eval "$(python scripts/get-profile-meta.py '{username}')" uses a bash subshell to generate code. If the {username} parameter is not sanitized, it allows for shell command injection via command substitution (e.g., using $(command) or backticks within the username string).
  • [REMOTE_CODE_EXECUTION]: The skill uses a Python script to dynamically generate JavaScript code which is then executed in a browser context. The user-provided {username} is interpolated directly into the JavaScript string literal without escaping, creating a vulnerability for JavaScript injection/XSS within the automated browser session.
  • [PROMPT_INJECTION]: The 'Execution Efficiency' section provides instructions for bypassing service protections, specifically suggesting the use of multiple 'stealth browser sessions' with unique fingerprints to circumvent rate limiting and anti-scraping measures implemented by Instagram.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 13, 2026, 04:39 AM
Security Audit — agent-trust-hub — instagram-profile-meta