instagram-profile-meta
Warn
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The instruction
eval "$(python scripts/get-profile-meta.py '{username}')"uses a bash subshell to generate code. If the{username}parameter is not sanitized, it allows for shell command injection via command substitution (e.g., using$(command)or backticks within the username string). - [REMOTE_CODE_EXECUTION]: The skill uses a Python script to dynamically generate JavaScript code which is then executed in a browser context. The user-provided
{username}is interpolated directly into the JavaScript string literal without escaping, creating a vulnerability for JavaScript injection/XSS within the automated browser session. - [PROMPT_INJECTION]: The 'Execution Efficiency' section provides instructions for bypassing service protections, specifically suggesting the use of multiple 'stealth browser sessions' with unique fingerprints to circumvent rate limiting and anti-scraping measures implemented by Instagram.
Audit Metadata