Reddit Ads CLI

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Reddit Ads reporting helper that uses an OAuth token and external CLI to query Reddit Ads data, with no evidence of hidden, destructive, or unrelated behavior.

Install only if you trust the external reddit-ads-cli npm package and are comfortable granting it Reddit Ads OAuth access. Use the least-privileged token available, avoid exposing secrets in chat or logs, and review any command that appears to change audiences or account data before running it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The manifest frames the skill as analysis/reporting, but the documentation also advertises custom-audience management. That mismatch can cause an agent or user to invoke broader account-affecting capabilities than expected, weakening consent and least-privilege assumptions for an ads account integration.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill description does not clearly warn that commands send advertising account identifiers, targeting queries, and reporting parameters to Reddit's external API. This is a transparency and privacy issue because users may treat the skill as local analysis while operational and potentially sensitive ad-account data is transmitted off-host.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal