ClawHub

Reddit Post Comments API

Security checks across malware telemetry and agentic risk

Overview

This is a narrowly scoped Reddit comments API helper with a real token-handling caveat, but no evidence of hidden, destructive, or unrelated behavior.

Install only if you are comfortable sending a JustOneAPI token and Reddit post IDs to JustOneAPI. Use a scoped, rotatable token, avoid sharing logs or command output that may include full request URLs, and revoke the token if it may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill defines the API access token as a query parameter and automatically appends it to the request URL. Query-string credentials are commonly exposed via logs, browser/history tooling, proxy caches, observability systems, and upstream infrastructure, increasing the chance of credential leakage beyond the intended recipient.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The operation documents an access token as a required query parameter without any warning about the security implications. Query parameters are commonly exposed in logs, browser history, proxy caches, analytics systems, and monitoring tools, so encouraging or normalizing token transmission this way increases the chance of credential leakage and downstream account or API abuse.

Credential Access

High
Category
Privilege Escalation
Content
"parameters": [
        {
          "defaultValue": null,
          "description": "Access token for this API service.",
          "enumValues": [],
          "location": "query",
          "name": "token",
Confidence
92% confidence
Finding
Access token

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal