Reddit Market Insights

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Reddit market-research skill with ordinary third-party API and npm package risks, but no artifact evidence of malicious behavior.

Install only if you are comfortable using reddit-insights.com and the reddit-insights-mcp npm package. Use a dedicated, revocable API key, verify the package before running npx, and avoid sending confidential product plans, customer data, or sensitive personal information in search queries.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger list contains broad, common phrases such as product recommendations, gift ideas, and what to buy, which can cause the skill to activate in contexts far outside its intended ecommerce-research use case. Over-broad activation increases the chance the agent routes unrelated user requests into this skill, causing inappropriate tool use, irrelevant external data access, or outputs that do not match user intent.

Natural-Language Policy Violations

Medium

Confidence: 93% confidence
Finding: The skill requires Chinese output for most fields without any user opt-in, overriding the likely language preference of the session. This is dangerous because it can silently change response language and format, degrading usability, causing misunderstandings, and making the agent less aligned with explicit or implicit user expectations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal