ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Reddit Insights

v2.2.0

Search and analyze Reddit content using semantic AI search via reddapi.dev HTTP API. Use when you need to: (1) Find user pain points and frustrations for pro...

4· 5.9k·36 current·37 all-time
by@dowands
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description (semantic Reddit search via reddapi.dev) matches the instructions in SKILL.md: calls to reddapi.dev endpoints and use of an API key are expected. However, the registry metadata lists no required environment variables while SKILL.md explicitly instructs the user to export REDDAPI_API_KEY — this metadata omission is inconsistent.
Instruction Scope
SKILL.md is instruction-only and stays on-topic: it documents HTTP requests to reddapi.dev endpoints and how to authenticate. It does not instruct the agent to read unrelated files, system paths, or secrets beyond the reddapi API key, nor does it direct data to third-party endpoints outside reddapi.dev.
Install Mechanism
No install spec and no code files are present, so nothing will be written to disk by the skill itself. This is the lowest-risk install modality and is consistent with an instruction-only API integration.
!
Credentials
The only secret the SKILL.md requires is an API key for reddapi.dev, which is proportional to the stated purpose. The concern is that the skill registry metadata does not declare this required env var (REDDAPI_API_KEY), so users and automated systems may not be prompted to provide or protect it correctly.
Persistence & Privilege
The skill does not request persistent/privileged presence (always: false), has no config paths, and does not attempt to modify other skills or system settings. Autonomous invocation is allowed (default) but is not combined with other high-risk factors here.
Scan Findings in Context
[no_findings] expected: Regex scanner had no findings because this is an instruction-only skill with no code files. That absence is not proof of safety; the SKILL.md itself contains the actionable instructions and an environment variable requirement.
What to consider before installing
This skill largely does what it says: it calls reddapi.dev and needs your reddapi API key. Before installing, verify the reddapi.dev service and pricing, and confirm you want to provide that API key to your agent. Ask the publisher to update the skill metadata to declare REDDAPI_API_KEY so tooling will treat it appropriately. Do not paste your API key into public chat or unsecured places; if the agent or platform will store the key, confirm how it is stored/encrypted. Also check rate limits and cost of queries (the SKILL.md lists paid plans). If you are unsure of the source (homepage is missing and owner is unknown), consider testing with a dedicated, limited-permission API key or a low-cost/trial account to limit exposure.

Like a lobster shell, security has layers — review code before you run it.

latestvk970mmnrwn3k2hgf5bwbjy22jh834p9f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments