Reddit Lead Prospecting
PassAudited by ClawScan on May 1, 2026.
Overview
The artifacts show a coherent Reddit lead-search helper that uses Brave Search and generates draft outreach content, with no evidence of hidden posting, Reddit credential use, persistence, or exfiltration.
This skill appears reasonable for Reddit prospecting via Brave Search. Before installing, make sure you are comfortable providing a Brave API key, running the included Node.js script, and personally reviewing any generated outreach so it is accurate, disclosed, and compliant with Reddit/community rules.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your lead-search keywords are sent to Brave Search and count against your Brave API quota.
The skill sends user search terms to an external search provider. This is central to the stated purpose and is clearly disclosed, but users should avoid including confidential text in searches.
this skill queries `site:reddit.com` via the Brave Search API
Use non-sensitive search terms and review Brave API usage if quota or billing matters.
The skill can use your Brave Search API quota through the configured key.
The skill needs a provider API key. This is expected for Brave Search and there is no artifact evidence of hardcoding, logging, or sending the key anywhere unrelated.
`BRAVE_API_KEY` — Brave Search API key. Free tier: 2,000 queries/month.
Use a dedicated Brave API key if possible, keep it out of prompts and logs, and rotate it if exposed.
A user or agent may not realize from registry requirements alone that Node.js is needed to run the included script.
The registry metadata under-declares the runtime because SKILL.md instructs running a Node script and package.json specifies Node >=18. No dependency install or remote script is shown, so this is an install clarity issue, not a malicious indicator.
Required binaries (all must exist): none ... Install specifications: No install spec — this is an instruction-only skill.
Declare Node.js as a required runtime/binary and keep package provenance fields aligned with registry metadata.
Poorly reviewed output could look spammy or violate subreddit norms even though the template encourages disclosure.
The skill generates commercial Reddit comment structures. The shown template explicitly encourages disclosure and alternatives, which reduces deception risk, but public marketing content still needs human review.
Full disclosure: I work on this, so I'm biased, but happy to answer any questions about it or the other tools I mentioned.
Manually review and customize any generated comments or posts, disclose affiliations, and follow each subreddit’s rules.