ClawHub

Reddit API

Security checks across malware telemetry and agentic risk

Overview

This is a coherent read-only JustOneAPI Reddit wrapper, but its API token is sent in URL query parameters, which users should treat carefully.

Install only if you trust JustOneAPI and are comfortable with the token being sent in the URL query string. Avoid sharing command logs, generated URLs, screenshots, proxy traces, or error reports from this skill, and prefer a future version that uses header-based authentication if one becomes available.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (8)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill places the API access token into the URL query string via applyQueryParams, which means the credential can be exposed in logs, browser history, proxy/CDN logs, analytics, referrer data, and error reports. Even over HTTPS, query parameters are commonly recorded by infrastructure, making this an avoidable credential-leak risk.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The API requires an access token to be sent as a query parameter, which is unsafe because query strings are commonly logged by clients, intermediaries, reverse proxies, analytics systems, and server access logs. Even though the base URL uses HTTPS, placing credentials in the URL materially increases the risk of credential exposure through routine observability and sharing mechanisms.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The endpoint documentation instructs users to send an access token as a query parameter, which is commonly logged by servers, proxies, browser history, analytics tools, and monitoring systems. Even in documentation form, this normalizes an insecure authentication pattern and can lead to credential exposure if implemented as described.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This second endpoint repeats the same insecure pattern by requiring a sensitive token in the query string without any warning. Query parameters are high-risk locations for secrets because they are frequently captured in access logs and tracing systems, increasing the chance of unauthorized token disclosure.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The search endpoint also documents a required access token in the URL query parameters, creating the same credential exposure risk across the API surface. Because this is a search operation that may be called frequently, the operational context can increase the volume of logged requests and therefore the chance that tokens are exposed or retained.

Credential Access

High
Category
Privilege Escalation
Content
"parameters": [
        {
          "defaultValue": null,
          "description": "Access token for this API service.",
          "enumValues": [],
          "location": "query",
          "name": "token",
Confidence
94% confidence
Finding
Access token

Credential Access

High
Category
Privilege Escalation
Content
"parameters": [
        {
          "defaultValue": null,
          "description": "Access token for this API service.",
          "enumValues": [],
          "location": "query",
          "name": "token",
Confidence
94% confidence
Finding
Access token

Credential Access

High
Category
Privilege Escalation
Content
"parameters": [
        {
          "defaultValue": null,
          "description": "Access token for this API service.",
          "enumValues": [],
          "location": "query",
          "name": "token",
Confidence
94% confidence
Finding
Access token

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal