Fapi Reddit

Security checks across malware telemetry and agentic risk

Overview

This Reddit API skill is mostly coherent, but it tells users they may paste billable API credentials, including an unexplained auth token, directly into chat.

Install only if you trust fapi.uk and are comfortable with Reddit API queries consuming account credits. Use OpenClaw config or a secure secret store instead of pasting API keys or auth tokens into chat, prefer a revocable key with spending limits, and rotate any credential already shared in a transcript.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill explicitly tells users they can paste their API key and auth token directly into chat, which creates a clear secret-exposure path through conversation history, logs, model context, and any downstream observability systems. In this context, those credentials enable paid API access and potentially account misuse, so disclosure can lead to unauthorized consumption, account abuse, and loss of confidentiality.

Ssd 3

High

Confidence: 99% confidence
Finding: The skill creates a natural-language channel for users to disclose sensitive credentials by inviting them to paste an API key and auth token into chat. Chat transcripts are often retained, inspected, or reused by tooling, so this materially increases the chance of credential leakage and subsequent unauthorized API usage or account compromise.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal