Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Reddit Market Insights
v1.0.0Research ecommerce categories on Reddit to find opportunity areas (pain points) and trending products using semantic AI search via reddit-insights.com MCP se...
⭐ 0· 175·0 current·0 all-time
bychiuyu@gityu2016
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The stated purpose (semantic Reddit search for ecommerce insights) matches the SKILL.md workflow. However the skill's metadata lists no required environment variables or install steps, while the instructions require an API key for reddit-insights.com and configuring/launching an MCP server via npx. That discrepancy is unexpected.
Instruction Scope
Runtime instructions tell the user/agent to edit agent config files (claude_desktop_config.json, config/mcporter.json), supply REDDIT_INSIGHTS_API_KEY, and run MCP server via npx. These actions go beyond pure query composition and involve modifying local agent configuration and launching third-party code — this is within the skill's functional scope but expands its runtime footprint and risk.
Install Mechanism
There is no formal install spec in the registry, but SKILL.md instructs using 'npx reddit-insights-mcp' (or 'npx -y reddit-insights-mcp'), which will fetch and run an npm package at runtime. Executing npx pulls arbitrary code from the npm registry; without a vetted install spec or an explicit source/release URL, this is a higher-risk installation pattern.
Credentials
The only runtime secret described is REDDIT_INSIGHTS_API_KEY from reddit-insights.com, which is proportionate to the skill's purpose. However the registry metadata does not declare this required env var (or any credentials), creating an inconsistency that reduces transparency.
Persistence & Privilege
The skill does not request 'always: true' and does not itself request elevated platform privileges. It does instruct modifying local agent configuration to register an MCP server, which grants persistent capability to run the third-party MCP process when the agent uses that server — users should be aware they are enabling a persistent external process.
Scan Findings in Context
[no_regex_findings] expected: Scanner found no regex-based code findings — expected because this is an instruction-only skill with no code files to analyze.
[missing_declared_env_var] unexpected: SKILL.md requires REDDIT_INSIGHTS_API_KEY and shows how to set it in MCP server config, but the registry metadata lists no required env vars or primary credential. That mismatch reduces transparency and is unexpected.
[meta_owner_slug_mismatch] unexpected: Embedded _meta.json in the package lists ownerId, slug ('reddit-insights') and version (1.2.0) that differ from the registry metadata (ownerId kn79..., slug reddit-market-insights, version 1.0.0). This inconsistency is suspicious and should be clarified by the publisher.
What to consider before installing
Before installing or using this skill, consider the following:
- The SKILL.md asks you to create an API key at reddit-insights.com and to add an MCP server entry that will run 'npx reddit-insights-mcp'. npx will download and execute code from npm — verify the npm package and its source repository (GitHub, maintainer, recent releases) before running it.
- The registry metadata does not declare the REDDIT_INSIGHTS_API_KEY requirement and the included _meta.json metadata (slug/owner/version) doesn't match the published registry metadata. Ask the publisher to explain and correct these mismatches.
- If you proceed, minimize risk: create an API key with least privilege, inspect the npm package contents (or prefer a known GitHub release), and review any MCP server code before running. Consider running the MCP process in an isolated environment (container or VM) rather than on a primary machine.
- If you need more assurance, request a formal install spec and the upstream repository URL from the skill author, or ask the registry operator for provenance verification.Like a lobster shell, security has layers — review code before you run it.
latestvk976jxa6j25hpb0qxc6pkvadys82v4vj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.