Reddit Search

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Reddit search connector that uses Xpoz and mcporter, with privacy and dependency considerations but no evidence of hidden or malicious behavior.

Install this only if you are comfortable installing mcporter from npm, authorizing an Xpoz account, and sending Reddit searches and exports through Xpoz infrastructure. Avoid confidential or regulated queries, and treat CSV export URLs as externally hosted sensitive links unless Xpoz documents stronger access controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill routes searches through Xpoz MCP, a third-party service, but does not clearly warn users that their search terms, account-linked activity, and retrieved Reddit data may be transmitted to and processed by an external provider. This can lead users to submit sensitive investigations, proprietary topics, or personal data without informed consent, creating privacy and data-governance risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The CSV export section describes obtaining a download URL for full datasets but omits any warning that the export is exposed via a retrievable link, likely backed by external storage. If users export sensitive search results, the generated URL could be shared, logged, or accessed beyond the intended audience, increasing privacy and unauthorized-disclosure risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal