instantly-incident-runbook
Facilitates rapid incident response for Instantly outages, including triage, mitigation, and postmortem procedures.
Install this skill
Security score
The instantly-incident-runbook skill was audited on May 12, 2026 and we found 44 security issues across 3 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 59 | console.log(`Unhealthy campaigns: ${unhealthy.length}`); |
Template literal with variable interpolation in command context
| 68 | console.log(`\nAccounts: ${accounts.length} total, ${healthy.length} healthy, ${broken.length} broken`); |
Template literal with variable interpolation in command context
| 73 | console.log(` ${v.email}: SMTP=${v.smtp_status} IMAP=${v.imap_status} DNS=${v.dns_status}`); |
Template literal with variable interpolation in command context
| 90 | console.log(`Paused broken account: ${v.email}`); |
Template literal with variable interpolation in command context
| 92 | console.log(`Failed to pause ${v.email}: ${e.message}`); |
Template literal with variable interpolation in command context
| 105 | console.log(` POST /accounts/${encodeURIComponent(v.email)}/resume`); |
Template literal with variable interpolation in command context
| 128 | console.log(`${campaign.name}: ${bounceRate}% bounce rate`); |
Template literal with variable interpolation in command context
| 129 | console.log(` Sent: ${analytics.emails_sent}, Bounced: ${analytics.emails_bounced}`); |
Template literal with variable interpolation in command context
| 137 | console.log(` Bounced leads: ${bouncedLeads.length} of ${leads.length} sampled`); |
Template literal with variable interpolation in command context
| 163 | console.log(`${w.name}: ${w.event_type} -> ${w.target_hook_url}`); |
Template literal with variable interpolation in command context
| 164 | console.log(` Status: ${w.status || "active"}`); |
Template literal with variable interpolation in command context
| 178 | console.log(`\nResuming paused webhook: ${w.name}`); |
Template literal with variable interpolation in command context
| 180 | await client.request(`/webhooks/${w.id}/resume`, { method: "POST" }); |
Template literal with variable interpolation in command context
| 184 | await client.request(`/webhooks/${w.id}/test`, { method: "POST" }); |
Template literal with variable interpolation in command context
| 187 | console.log(` Failed: ${e.message}`); |
Template literal with variable interpolation in command context
| 212 | console.log(`\nBackground jobs in progress: ${stuck.length}`); |
Template literal with variable interpolation in command context
| 214 | console.log(` ${j.id}: ${j.status} (created: ${j.timestamp_created})`); |
Template literal with variable interpolation in command context
| 249 | console.log(`${degraded.length} accounts with low warmup inbox rate:\n`); |
Template literal with variable interpolation in command context
| 252 | console.log(` ${w.email}: ${rate}% inbox rate (${w.warmup_emails_landed_spam} spam)`); |
Curl to non-GitHub URL
| 276 | curl -s https://api.instantly.ai/api/v2/campaigns?limit=100 \ |
Curl to non-GitHub URL
| 281 | EMAILS=$(curl -s https://api.instantly.ai/api/v2/accounts?limit=50 \ |
Curl to non-GitHub URL
| 286 | curl -s https://api.instantly.ai/api/v2/webhooks?limit=20 \ |
Webhook reference - potential data exfiltration
| 29 | Structured incident response procedures for Instantly.ai integration failures. Covers campaign pause cascades, account health crises, bounce protect triggers, webhook delivery failures, and API outage |
Webhook reference - potential data exfiltration
| 37 | | P3 Medium | Single campaign/account issue | 4 hours | One account SMTP failure, webhook delivery issue | |
Webhook reference - potential data exfiltration
| 152 | ## Incident: Webhook Delivery Failure |
Webhook reference - potential data exfiltration
| 156 | async function handleWebhookFailure() { |
Webhook reference - potential data exfiltration
| 157 | console.log("=== P3 TRIAGE: Webhook Delivery ===\n"); |
Webhook reference - potential data exfiltration
| 159 | // Check webhook status |
Webhook reference - potential data exfiltration
| 160 | const webhooks = await client.webhooks.list(); |
Webhook reference - potential data exfiltration
| 162 | for (const w of webhooks as any[]) { |
Webhook reference - potential data exfiltration
| 168 | const summary = await client.request("/webhook-events/summary"); |
Webhook reference - potential data exfiltration
| 172 | const byDate = await client.request("/webhook-events/summary-by-date"); |
Webhook reference - potential data exfiltration
| 175 | // Resume paused webhooks |
Webhook reference - potential data exfiltration
| 176 | for (const w of webhooks as any[]) { |
Webhook reference - potential data exfiltration
| 178 | console.log(`\nResuming paused webhook: ${w.name}`); |
Webhook reference - potential data exfiltration
| 180 | await client.request(`/webhooks/${w.id}/resume`, { method: "POST" }); |
Webhook reference - potential data exfiltration
| 184 | await client.request(`/webhooks/${w.id}/test`, { method: "POST" }); |
Webhook reference - potential data exfiltration
| 285 | echo "--- Webhooks ---" |
Webhook reference - potential data exfiltration
| 286 | curl -s https://api.instantly.ai/api/v2/webhooks?limit=20 \ |
External URL reference
| 276 | curl -s https://api.instantly.ai/api/v2/campaigns?limit=100 \ |
External URL reference
| 281 | EMAILS=$(curl -s https://api.instantly.ai/api/v2/accounts?limit=50 \ |
External URL reference
| 286 | curl -s https://api.instantly.ai/api/v2/webhooks?limit=20 \ |
External URL reference
| 299 | - [Instantly Help Center](https://help.instantly.ai) |
External URL reference
| 301 | - [Instantly Status Page](https://status.instantly.ai) |