ClawHub

Reddit Post Details API

Security checks across malware telemetry and agentic risk

Overview

This is a focused Reddit post-details API helper with a real token-handling caveat, but no hidden or unrelated behavior was found.

Install only if you trust JustOneAPI with the token and Reddit lookup requests. Keep the token in JUST_ONE_API_TOKEN, avoid sharing logs or full request URLs, use a limited-scope token if available, and rotate it if exposure is suspected.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill defines the API token as a query parameter and then appends all query parameters directly into the request URL. Query-string credentials are commonly exposed through logs, browser/history layers, proxy telemetry, monitoring systems, error messages, and upstream referrer handling, making accidental disclosure more likely than with an Authorization header. In this skill context, the risk is real because the tool is specifically designed to accept a secret token from the caller and transmit it on every request.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill requires an API access token to be sent as a query parameter, which is risky because query strings are commonly logged by servers, proxies, browser history, observability tools, and intermediary infrastructure. Even over HTTPS, this increases the chance of credential disclosure compared with using an Authorization header or other secret-safe mechanism.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The documentation requires an access token as a query parameter but provides no warning about secure credential handling. Putting tokens in URLs is risky because query strings are commonly logged by clients, proxies, analytics systems, and server infrastructure, which can expose the credential and enable unauthorized API use.

Credential Access

High
Category
Privilege Escalation
Content
"parameters": [
        {
          "defaultValue": null,
          "description": "Access token for this API service.",
          "enumValues": [],
          "location": "query",
          "name": "token",
Confidence
96% confidence
Finding
Access token

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal