Keyapi Reddit Content Analytics
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate KeyAPI Reddit analytics skill, with expected use of a KeyAPI token, external MCP calls, npm setup, and local caching that users should understand before installing.
Before installing, make sure you trust KeyAPI with the Reddit queries you run, protect the KEYAPI_TOKEN, use `--platform reddit`, and delete or disable the local cache if you do not want fetched Reddit data retained on disk.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked incorrectly, the helper could query a different KeyAPI platform or tool than the user expected, though no destructive behavior is shown.
The helper can call arbitrary KeyAPI MCP tools and defaults to a non-Reddit platform, even though the skill is described as Reddit analytics.
--tool <name> MCP tool name to call ... --platform <name> Platform to target (default: tiktok)
Use the documented Reddit workflow and specify `--platform reddit`; maintainers should consider changing the script default/examples to Reddit or constraining this skill to Reddit tools.
Anyone with access to the skill directory could potentially read the saved KeyAPI token and use the associated KeyAPI quota or account access.
The skill requires a KeyAPI bearer token and can persist it in a local .env file for future runs.
KEYAPI_TOKEN Required. Get yours at https://keyapi.ai/ ... Or save to a .env file in the skill directory ... writeFileSync(envPath, `KEYAPI_TOKEN=${token}\n`, "utf8")Use a limited-purpose KeyAPI token, protect file permissions on the skill directory, and avoid saving the token to .env on shared systems.
Installation downloads third-party code from npm, which is normal for this MCP client but carries ordinary package supply-chain risk.
The setup depends on an npm package specified with a caret version range, so `npm install` may resolve to newer compatible versions rather than an exact pinned artifact.
"dependencies": { "@modelcontextprotocol/sdk": "^1.10.2" }Install in an isolated project, review generated lockfiles, and consider pinning dependency versions if reproducibility is important.
Fetched Reddit content, usernames, comments, and feed results may remain on disk and be reused or viewed later by local users or processes.
The runner stores API responses in a persistent local cache by default.
--cache-dir <path> Cache directory (default: .keyapi-cache) ... Deterministic cache path: .keyapi-cache/YYYY-MM-DD/<tool>/<hash>.json
Use `--no-cache` for sensitive research, periodically delete `.keyapi-cache`, and treat Reddit comments/posts as untrusted data rather than instructions.