Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Keyapi Reddit User Analysis
v1.0.0Discover and analyze Reddit users and subreddits — retrieve user profiles, active communities, public trophies, subreddit rules, settings, post channels, and...
⭐ 0· 35·0 current·0 all-time
by@lycici
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name and description match the implementation: the skill is a Node.js MCP client that calls KeyAPI's Reddit tools. Required items (node, KEYAPI_TOKEN, @modelcontextprotocol/sdk) are appropriate and proportional to the declared purpose.
Instruction Scope
SKILL.md instructs running scripts/run.js to list tools and call MCP endpoints; the runtime will read a .env file (if present), may prompt for the KEYAPI_TOKEN interactively, and will persist that token to a .env file when entered interactively. The script also reads/writes a local cache directory (.keyapi-cache) and can write an arbitrary output file if --output is used. It does not appear to read unrelated system files or request unrelated credentials.
Install Mechanism
No remote download/install spec in the registry; the skill is instruction+code and requires running npm install to fetch @modelcontextprotocol/sdk from the npm registry. No arbitrary URL downloads or archive extraction are present in the provided files.
Credentials
Only KEYAPI_TOKEN (primary credential) is required, which is appropriate for API access. The script will persist the token to a .env file in the skill directory when prompted interactively — users should be aware this writes a secret to disk. An optional KEYAPI_SERVER_URL override exists for redirecting MCP traffic.
Persistence & Privilege
always is false and the skill does not request system-wide privileges. It will create/modify files inside the skill directory (.env and .keyapi-cache) and can write a user-specified output path. This local persistence is for caching and convenience, not for modifying other skills or global agent config.
Assessment
This skill appears to be what it claims: a KeyAPI MCP client for Reddit intelligence that needs NODE and a KEYAPI_TOKEN. Before installing, consider: (1) The runner will save a provided KEYAPI_TOKEN to a .env file in the skill directory if you enter it interactively — treat that file as sensitive or avoid interactive entry and set the token via your environment instead. (2) The skill creates a local cache directory (.keyapi-cache) and can write an output file you specify; review and clean these files if you share the environment. (3) The MCP server URL defaults to https://mcp.keyapi.ai but can be overridden — verify endpoints if you have concerns. (4) If you plan to use a production API token, consider issuing a scoped or limited token or using a throwaway token for evaluation. If you want further assurance, inspect the remainder of scripts/run.js (network call handling, any proxying of images) and the upstream repository before use.scripts/run.js:52
Environment variable access combined with network send.
scripts/run.js:37
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk974c16mgjef1f41khwd5303z5844mrm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔎 Clawdis
Binsnode
EnvKEYAPI_TOKEN
Primary envKEYAPI_TOKEN