ClawHub

Reddit Curator

Security checks across malware telemetry and agentic risk

Overview

This Reddit digest skill is mostly coherent, but it asks for Reddit account credentials and describes account-changing features despite other documentation saying it is read-only and does not require Reddit auth.

Review carefully before installing. Do not provide your Reddit password unless you are comfortable granting account-level access and the implementation is trusted. Confirm whether saved-post syncing is opt-in, how scheduled delivery is stopped, where credentials are stored, and review the external GitHub repository before running any code from it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly supports delivery through Telegram, email, and Discord, and optional third-party summarization, but it does not clearly disclose that Reddit-derived content and potentially user configuration data may be sent to those external services. This creates a privacy and data-handling transparency issue because users may not realize their curated content, metadata, or prompts could leave the local environment and be processed by third parties.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The 'Auto-save digested posts to Reddit Saved' feature describes modifying the user's Reddit account state without clearly warning the user that the tool will perform write actions on their behalf. Undisclosed account modifications can surprise users, create trust issues, and lead to unintended persistent changes in their Reddit profile.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal