Fapi Reddit
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill mostly matches its Reddit API purpose, but it asks users to expose an undeclared and unexplained auth_token/API credential in chat.
Only install this if you trust fapi.uk and understand that queries may spend account credits. Prefer storing a limited API key in OpenClaw config, do not paste auth_token values into chat, and rotate any credential that has already been shared.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A token pasted into chat may remain in conversation context and could grant broader access to the user's fapi.uk account than needed for Reddit lookups.
This explicitly asks the user to disclose both an API key and an auth_token in chat. The auth_token is not clearly justified or bounded by the documented Reddit API workflow, creating unnecessary credential exposure risk.
或者直接在聊天里说: “我的 fapi apiKey 是 xxx,我的 auth_token 是 yyy”
Use a least-privilege API key stored in OpenClaw configuration if possible, avoid pasting auth_token values into chat, and revoke or rotate any token that was exposed.
Reddit lookups through this skill may reduce the user's fapi.uk balance.
The skill discloses that API calls consume account credits. This is expected for a paid API integration, but users should understand that invoking the skill can spend credits.
每次调用 reddit 接口会从你的 fapi.uk 账户扣除积分
Monitor the fapi.uk balance and use the skill only for queries where spending credits is acceptable.