Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Reddit Search
v1.2.0Reddit Search — Search posts, comments, users, and subreddits across 100M+ indexed Reddit entries. Find discussions, track topics, discover communities, and analyze engagement. No Reddit API key needed — works through Xpoz MCP with natural language queries.
⭐ 2· 1.3k·10 current·10 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description claim to search Reddit via Xpoz MCP without a Reddit API key. The SKILL.md consistently uses the mcporter CLI to call Xpoz endpoints (xpoz.getRedditPosts..., checkOperationStatus), which is coherent with the stated purpose. However, the registry metadata at the top-level omitted the SKILL.md's declared dependency on the xpoz-setup skill and the network host (mcp.xpoz.ai), which is an inconsistency that merits attention.
Instruction Scope
The instructions are narrowly scoped to using the mcporter CLI to call Xpoz MCP operations and to poll operation status (including receiving S3 download URLs). They do not instruct the agent to read unrelated local files or arbitrary environment variables. Note: SKILL.md expects you to run the separate xpoz-setup skill to perform OAuth-based auth — that external OAuth flow and the resulting credentials are required for normal operation even though the registry metadata did not declare them.
Install Mechanism
The install spec installs an npm package 'mcporter' which will create a mcporter binary. Installing arbitrary npm packages has moderate risk because packages can execute code on install and create binaries in PATH. The install source is the public npm registry (no explicit release URL), and the package provenance is unknown from the data provided. This is proportionate to the skill's need for a CLI but should be verified before installation.
Credentials
Top-level registry metadata lists no required env vars, but SKILL.md metadata and prose state that an Xpoz account and OAuth (via xpoz-setup) are required and that the skill needs network access to mcp.xpoz.ai. Requesting OAuth credentials for Xpoz is proportionate to the service; the problem is the mismatch between SKILL.md and the registry summary (undeclared dependency on xpoz-setup and network).
Persistence & Privilege
always:false and normal model invocation are used. The skill does install a binary (mcporter) but does not request permanent inclusion, system-wide config modification, or cross-skill credential access. No 'always: true' or other elevated persistence is requested.
What to consider before installing
This skill appears to do what it says (calls Xpoz MCP via the mcporter CLI) but you should take a few precautions before installing: 1) Verify the mcporter npm package provenance (publisher, download counts, source repo) — npm packages run code on install and create binaries. 2) Inspect or vet the xpoz-setup skill (what OAuth scopes it requests, where tokens are stored) before authorizing; confirm you trust xpoz.ai and mcp.xpoz.ai. 3) Be aware that search results and CSV exports will be fetched from external URLs (S3 links) — do not auto-run or open downloaded files from unknown sources. 4) Because the registry summary omitted the SKILL.md's declared dependencies (xpoz-setup and network host), ask the publisher to correct metadata or provide source code/a homepage link for the mcporter package. If you cannot verify the npm package and the xpoz-setup flow, run the skill in a sandboxed environment or decline installation.Like a lobster shell, security has layers — review code before you run it.
latestvk97c2c6gr1bdww1ck45326ctgx8119yy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsmcporter
Install
Install mcporter (npm)
Bins: mcporter
npm i -g mcporter