v1.0.1

Reddit Lead Prospecting

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:50 AM.

Analysis

The artifacts show a coherent Reddit lead-search helper that uses Brave Search and generates draft outreach content, with no evidence of hidden posting, Reddit credential use, persistence, or exfiltration.

GuidanceThis skill appears reasonable for Reddit prospecting via Brave Search. Before installing, make sure you are comfortable providing a Brave API key, running the included Node.js script, and personally reviewing any generated outreach so it is accurate, disclosed, and compliant with Reddit/community rules.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityInfoConfidenceHighStatusNote

SKILL.md

this skill queries `site:reddit.com` via the Brave Search API

The skill sends user search terms to an external search provider. This is central to the stated purpose and is clearly disclosed, but users should avoid including confidential text in searches.

User impactYour lead-search keywords are sent to Brave Search and count against your Brave API quota.

RecommendationUse non-sensitive search terms and review Brave API usage if quota or billing matters.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceMediumStatusNote

metadata

Required binaries (all must exist): none ... Install specifications: No install spec — this is an instruction-only skill.

The registry metadata under-declares the runtime because SKILL.md instructs running a Node script and package.json specifies Node >=18. No dependency install or remote script is shown, so this is an install clarity issue, not a malicious indicator.

User impactA user or agent may not realize from registry requirements alone that Node.js is needed to run the included script.

RecommendationDeclare Node.js as a required runtime/binary and keep package provenance fields aligned with registry metadata.

Human-Agent Trust Exploitation

SeverityLowConfidenceHighStatusNote

reddit-prospecting.js

Full disclosure: I work on this, so I'm biased, but happy to answer any questions about it or the other tools I mentioned.

The skill generates commercial Reddit comment structures. The shown template explicitly encourages disclosure and alternatives, which reduces deception risk, but public marketing content still needs human review.

User impactPoorly reviewed output could look spammy or violate subreddit norms even though the template encourages disclosure.

RecommendationManually review and customize any generated comments or posts, disclose affiliations, and follow each subreddit’s rules.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

`BRAVE_API_KEY` — Brave Search API key. Free tier: 2,000 queries/month.

The skill needs a provider API key. This is expected for Brave Search and there is no artifact evidence of hardcoding, logging, or sending the key anywhere unrelated.

User impactThe skill can use your Brave Search API quota through the configured key.

RecommendationUse a dedicated Brave API key if possible, keep it out of prompts and logs, and rotate it if exposed.