ClawHub
Back to skill

Security audit

Reddit Keyword Search API

Security checks across malware telemetry and agentic risk

Overview

This is a focused Reddit search API connector, but users should understand that its JustOneAPI token is sent in the URL query string.

Install only if you trust JustOneAPI and are comfortable with the token being transmitted as a query parameter to api.justoneapi.com. Use a limited-scope, revocable token, avoid environments that log full URLs, and rotate the token if it may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill defines the API access token as a query parameter and later appends all query parameters directly into the request URL. Query-string credentials are routinely exposed through logs, browser/history tooling, proxy infrastructure, error telemetry, and upstream monitoring, making accidental token disclosure significantly more likely than header-based authentication.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill requires an access token as a query parameter but provides no warning that credentials will be transmitted in the URL. Query-string credentials are commonly exposed through logs, browser history, monitoring tools, reverse proxies, and referrer leakage, increasing the chance of accidental token disclosure even when HTTPS is used.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation exposes a required `token` query parameter without any warning about secure handling, storage, redaction, or the risks of placing credentials in URLs. Query-string tokens are commonly logged by clients, proxies, analytics systems, and server access logs, which can lead to credential leakage and unauthorized API use.

Credential Access

High
Category
Privilege Escalation
Content
"parameters": [
        {
          "defaultValue": null,
          "description": "Access token for this API service.",
          "enumValues": [],
          "location": "query",
          "name": "token",
Confidence
95% confidence
Finding
Access token

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.