Scan Report
18 /100
instagram-posting-pipeline
Generate promotional images and post them to Instagram Business accounts via Meta Graph API. Handles Pillow image generation, Cloudinary hosting, and Meta Graph API two-step posting.
This is a legitimate Instagram marketing automation pipeline with no malicious behavior. All network, filesystem, and credential access are declared and necessary for its documented purpose.
Safe to install
Skill is safe to use. Replace hardcoded placeholder credential strings in SKILL.md documentation with generic placeholders to avoid confusion. Consider pinning Pillow version in any future dependency file.
Findings 2 items
| Severity | Finding | Location |
|---|---|---|
| Low | Placeholder credential examples in documentation Doc Mismatch | SKILL.md:26 |
| Low | Web scraper extracts email and phone via regex Sensitive Access | scripts/scrape_business.py:101 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | WRITE | WRITE | ✓ Aligned | generate_course_promo.py:39 — img.save() to configured OUTPUT_DIR |
| Network | READ | READ | ✓ Aligned | post_to_instagram.py, upload_cloudinary.py, scrape_business.py — all HTTPS API c… |
| Shell | NONE | NONE | — | No subprocess or shell invocation found |
| Environment | READ | READ | ✓ Aligned | os.environ.get() used to read IG_ACCESS_TOKEN, IG_BUSINESS_ACCOUNT_ID, CLOUDINAR… |
2 High 9 findings
High API Key 疑似硬编码凭证
ACCESS_TOKEN="your_page_access_token" SKILL.md:26 High API Key 疑似硬编码凭证
ACCESS_TOKEN="token_for_account_a" SKILL.md:128 Medium External URL 外部 URL
https://developers.facebook.com/tools/explorer/ SKILL.md:42 Medium External URL 外部 URL
https://res.cloudinary.com/demo/image/upload/xyz.png SKILL.md:85 Medium External URL 外部 URL
https://graph.facebook.com/v21.0/ scripts/post_to_instagram.py:39 Medium External URL 外部 URL
https://www.instagram.com/p/ scripts/post_to_instagram.py:71 Medium External URL 外部 URL
https://www.caddeskcentre.com scripts/scrape_business.py:168 Medium External URL 外部 URL
https://cloudinary.com scripts/upload_cloudinary.py:40 Medium External URL 外部 URL
https://api.cloudinary.com/v1_1/ scripts/upload_cloudinary.py:57 File Tree
5 files · 23.3 KB · 682 lines Python 4f · 551L
Markdown 1f · 131L
├─
▾
scripts
│ ├─
generate_course_promo.py
Python
│ ├─
post_to_instagram.py
Python
│ ├─
scrape_business.py
Python
│ └─
upload_cloudinary.py
Python
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
Pillow | unpinned | import | No | Pillow is not pinned in any requirements file. The script uses 'from PIL import Image'. Ensure Pillow is installed in the target environment. |
Security Positives
✓ No subprocess or shell execution found — all logic uses Python stdlib
✓ No base64 obfuscation or dynamic code execution (no eval, exec, ast.literal_eval misuse)
✓ SSRF protection implemented in scrape_business.py — blocks localhost, private IPs, and internal network hostnames
✓ Cloudinary upload requires explicit env vars (no accidental demo cloud uploads) — security-conscious default
✓ All network access is declared in SKILL.md and is necessary for the pipeline's stated purpose
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No credential exfiltration — IG_ACCESS_TOKEN is used only for Meta Graph API authentication
✓ No persistence mechanisms (no cron, startup hooks, or backdoor installation)
✓ No supply chain risk — only depends on Pillow (standard, trusted package)
✓ No hidden HTML comments or embedded instructions
✓ No direct IP network requests — all outbound calls go to well-known domains (graph.facebook.com, api.cloudinary.com)