ClawHub
Back to skill
v1.0.0

reddit-competitor-analysis-api-skill

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:42 AM.

Analysis

This appears to be a coherent Reddit data-collection helper, but it uses your BrowserAct API key, sends search parameters to BrowserAct, and may run a long background task.

GuidanceBefore installing, confirm you are comfortable giving the skill access to your BrowserAct API key, sending Reddit research queries to BrowserAct, and letting the task run in the background with a timeout. No artifact-backed malicious behavior was found.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
scripts/reddit_competitor_analysis_api.py
TEMPLATE_ID = "85401899001481609" ... "workflow_template_id": TEMPLATE_ID

The local script delegates the actual Reddit collection workflow to a remote BrowserAct template identified by ID. This is purpose-aligned, but the remote workflow definition is not included in the local artifacts.

User impactThe actual browser automation behavior depends on BrowserAct and the referenced template, not only on the local Python file.
RecommendationUse the skill only if you trust BrowserAct and the referenced workflow template; review provider documentation where possible.
Rogue Agents
SeverityLowConfidenceHighStatusNote
SKILL.md
Run in background mode ... "background": true ... "timeout": 1800

The skill explicitly recommends background execution for long BrowserAct tasks and provides a timeout. This is disclosed and tied to the expected 5-20 minute runtime.

User impactA task may continue running in the background for several minutes and could consume API quota until it finishes or times out.
RecommendationKeep the recommended timeout, monitor status output, and stop the process if it no longer matches your intent.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/reddit_competitor_analysis_api.py
api_key = os.getenv("BROWSERACT_API_KEY") ... headers = {"Authorization": f"Bearer {api_key}"}

The script requires a BrowserAct API key and uses it as a bearer token for BrowserAct API calls. This is expected for the stated service integration, with no evidence of hardcoding or unrelated credential use.

User impactAnyone installing the skill should know it can use their BrowserAct account/API quota when run.
RecommendationSet the key through the environment rather than pasting it into chat, use a limited or revocable key if available, and monitor BrowserAct usage.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
scripts/reddit_competitor_analysis_api.py
API_BASE_URL = "https://api.browseract.com/v2/workflow" ... requests.post(f"{API_BASE_URL}/run-task-by-template", json=payload, headers=headers)

The skill sends the user's Reddit search keywords and filter parameters to the external BrowserAct API. This is disclosed and central to the skill's purpose.

User impactSearch terms, brand names, competitor names, and analysis parameters may be visible to BrowserAct.
RecommendationAvoid sending confidential research terms unless you are comfortable with BrowserAct processing them, and review BrowserAct's privacy and retention policies.