Reddit Insights

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Reddit research skill that uses a disclosed third-party API and API key, with no executable code or hidden behavior found.

Install only if you are comfortable sending Reddit research queries to reddapi.dev and using a paid API key that can consume account quota. Avoid putting secrets, personal data, or highly confidential business details in search queries, and prefer explicit Reddit-related requests when invoking the skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger list includes very broad phrases like 'user feedback' and 'what do people think about' that are common in ordinary conversation, which can cause unintended invocation of this skill. Because the skill sends queries to a third-party API, accidental activation can leak user prompts or context externally without clear user intent.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill description does not clearly warn users that their queries and API credentials are sent to reddapi.dev, a third-party service. This creates a transparency and privacy risk because users may provide sensitive business ideas, research topics, or personal data without understanding that the content leaves the local environment.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal