ClawHub

Reddapi

Security checks across malware telemetry and agentic risk

Overview

Reddapi is a documented third-party Reddit research API wrapper that sends user queries to reddapi.dev with an API key, with no hidden code or persistence found.

Install only if you are comfortable using reddapi.dev as a third-party provider. Use a dedicated API key, do not paste secrets, regulated personal data, customer data, or confidential strategy into queries, and be careful using lead-generation outputs for outreach or profiling. Review any separately downloaded CLI script before running it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly routes user queries and an API bearer token to a third-party service, but does not warn users that their prompts, search terms, and credentials will be transmitted outside the host environment. This creates a real privacy and data-governance risk, especially if users submit sensitive business research, customer data, or proprietary topics under the assumption the skill is local or first-party.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The lead-generation feature encourages profiling people or businesses based on Reddit activity and inferred buying intent, pain points, and industry, but provides no warning about privacy, ethical use, or downstream misuse. In context, this makes the skill more dangerous because it operationalizes behavioral inference and targeting, which can enable unwanted profiling, contact enrichment, or abusive monitoring.

External Transmission

Medium
Category
Data Exfiltration
Content
### POST /api/v1/leads (NEW!)
```bash
curl -X POST "https://reddapi.dev/api/v1/leads" \
  -H "Authorization: Bearer ***" \
  -H "Content-Type: application/json" \
  -d '{"query": "people frustrated with CRM software", "limit": 20, "min_score": 70}'
Confidence
91% confidence
Finding
curl -X POST "https://reddapi.dev/api/v1/leads" \ -H "Authorization: Bearer ***" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
### POST /api/v1/search/semantic
```bash
curl -X POST "https://reddapi.dev/api/v1/search/semantic" \
  -H "Authorization: Bearer ***" \
  -H "Content-Type: application/json" \
  -d '{"query": "best productivity tools for remote teams", "limit": 100}'
Confidence
90% confidence
Finding
curl -X POST "https://reddapi.dev/api/v1/search/semantic" \ -H "Authorization: Bearer ***" \ -H "Content-Type: application/json" \ -d '{"query": "best productivity tools for remote teams", "limi

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal