Security audit

RedditGrow Pro

Security checks across malware telemetry and agentic risk

Overview

This is a prompt-only Reddit marketing toolkit with transparency and platform-rule risks, but it does not install code, access accounts, or automate posting.

Safe to install as a prompt pack, but treat its output as marketing draft material, not automatic posting advice. Disclose when you built, sell, or represent a product; follow each subreddit’s rules; avoid bumping stale threads for visibility; and keep competitor or social-listening analysis to public, non-sensitive, non-harassing market insights.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The skill tells users to avoid commenting on old posts as 'zombie engagement' but later provides a strategy to revive old threads with self-referential follow-ups. That inconsistency can normalize deceptive engagement behavior and encourage manipulation of community visibility under the guise of authentic participation.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The competitor-monitoring guidance promotes surveillance of usernames, posting habits, and strategy extraction without any privacy, ethical, or platform-compliance boundaries. In context, this can enable targeted profiling, harassment, or unfair intelligence gathering against identifiable individuals, especially founder accounts.

Ssd 4

Medium

Confidence: 95% confidence
Finding: The phased campaign explicitly teaches users to build credibility first, then introduce product mentions and promotion in a way designed to avoid appearing as spam. Even though it forbids overt vote manipulation, it operationalizes covert influence and evasion of community anti-spam norms, which can facilitate deceptive marketing and policy circumvention at scale.

Ssd 4

Medium

Confidence: 93% confidence
Finding: The content calendar prescribes a sequence of value posts, story posts, soft mentions, and eventual promotion specifically to cultivate trust before monetizing attention. In context, this is a playbook for strategic stealth marketing rather than straightforward community participation, increasing the risk of deceptive engagement and moderation evasion.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.