ClawHub

RedditRank

Security checks across malware telemetry and agentic risk

Overview

RedditRank is a coherent Reddit marketing tool, with disclosed external API use and manageable cautions around local API-key storage and promotional draft use.

Install only if you are comfortable sharing your email, product details, Reddit thread URLs, and draft requests with RedditRank. Keep ~/.redditrank/config.json private, avoid running setup in shared or logged terminals, rotate the key if exposed, and review/edit every generated reply before posting so it follows Reddit and subreddit rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The setup flow tells users to run a shell script and store an API key in OpenClaw config or an environment variable, but provides no warning about handling secrets safely. Because the skill also relies on shell execution and config writes, insufficient credential guidance raises the risk of accidental leakage through shell history, insecure files, shared environments, or overbroad agent access to stored keys.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code persists the API key in a plaintext JSON file under the user's home directory without setting restrictive file permissions or providing any disclosure about local secret storage. On multi-user systems, shared environments, backups, or endpoint compromise, this increases the chance that the credential is exposed and reused against the remote service.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code persists a user-supplied API key locally immediately after validation, but the onboarding UI does not clearly disclose that the secret will be stored on disk. This is a genuine security/privacy weakness because local secret storage changes the user's exposure model: other local users, malware, backups, or insecure file permissions may obtain the key without the user realizing it was retained.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The registration flow sends the user's email address to a remote service, but the UI only says to enter an email to get a free API key and does not explicitly disclose that the address will be transmitted off-device. While this is expected for registration, the lack of clear notice is still a real privacy issue because users are not told about network submission or the associated data handling.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
After email verification, the returned API key is automatically saved locally without asking the user or warning that a credential will persist on the machine. This creates the same local secret-retention risk as the manual key path, and it is slightly more surprising because the key is generated remotely and stored automatically as part of the flow.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script prints the newly issued API key directly to the terminal, which can expose the secret through terminal scrollback, screen sharing, shoulder surfing, shell session logging, or CI/remote session transcripts. Because this is a reusable bearer credential, disclosure could let another party access the service as the user.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal