Back to skill

Security audit

Reddit Account Operations

Security checks across malware telemetry and agentic risk

Overview

This skill is a clearly disclosed Reddit account-operations guide with real public-posting risk, but its access and data flows are purpose-aligned and bounded.

Install only if you intend an agent to act through your real Reddit account. Keep webhooks empty unless you accept sending run status, URLs, karma, and blockers to a third party, require human confirmation for public posts, and avoid using it in subreddits that prohibit automation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
83% confidence
Finding
The manifest description includes broad trigger phrases such as "post to reddit" and "reddit bot," which can cause the skill to be invoked for a wide range of routine requests. Because this skill performs actions on a logged-in real Reddit account and is designed for automated posting/reply workflows, accidental activation could lead to unintended public actions, account-policy violations, or disclosure through optional webhook logging.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.