ClawHub

Reddit Demand Sniffer & MVP Engine

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Reddit market research skill with some outreach and privacy templates users should edit carefully before use.

Install only if you are comfortable reviewing and rewriting the generated Reddit posts yourself. Before posting, disclose that you are building or validating a product, follow each subreddit’s rules, avoid account-warming or engagement tactics that could look manipulative, and add clear privacy terms before collecting manuscripts, emails, DMs, analytics, or session recordings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This section gives operational guidance for warming Reddit accounts, timing posts for maximum exposure, and driving early engagement so promotional or validation posts perform better. In the context of an MVP-idea skill, this crosses from benign research support into growth-hacking tactics that can facilitate covert promotion or manipulation of community trust, even if framed as "compliance" or "best practice."

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The template says "I'm not trying to sell anything" while the broader document explicitly supports waitlists, landing pages, beta recruitment, and pre-launch user acquisition. That mismatch encourages deceptive framing of commercial intent, which can mislead communities and moderators into treating promotion as neutral discussion or personal problem-solving.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger conditions are broad enough to overlap with many generic product-strategy or ideation requests, which can cause the skill to activate in situations where the user did not clearly ask for Reddit-based market research or MVP generation. This increases the risk of unintended routing, irrelevant guidance, and unnecessary web research, reducing reliability and potentially causing the agent to apply this workflow to mismatched contexts.

Natural-Language Policy Violations

Medium
Confidence
82% confidence
Finding
The description is written only in Chinese and does not indicate language flexibility, which can force or bias the skill toward Chinese-language behavior regardless of the user's preferred language. In multilingual systems, this can cause incorrect language selection, degraded usability, and accidental mismatch between user intent and generated output.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The beta-testing template invites users to upload or send real manuscripts to an AI tool without explaining data retention, model-training use, third-party processing, confidentiality, or the risk of sharing unpublished works. In this skill context, that omission is more dangerous because it normalizes collecting sensitive creative content from early users during outreach and recruitment.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document explicitly recommends Google Analytics, Mixpanel/Amplitude, Hotjar session recording, and direct DM/email feedback collection, but provides no guidance on notice, consent, minimization, or safe handling of personal data. In the context of an MVP-building skill, users may copy these practices directly into real products, creating privacy, compliance, and data-exposure risks for early users.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal