Back to skill

Security audit

Keyapi Reddit Content Analytics

Security checks across malware telemetry and agentic risk

Overview

The skill is mainly a Reddit analytics helper, but its bundled runner can use the same token to call broader KeyAPI MCP platforms and stores tokens/results locally.

Install only if you trust KeyAPI with the Reddit queries and content you fetch, and keep use explicitly scoped to --platform reddit. Use a limited KEYAPI_TOKEN if possible, avoid saving it to .env on shared machines, and delete or disable .keyapi-cache when results could reveal sensitive research interests or user profiling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The runner is explicitly generic: it accepts arbitrary platform and tool names, can list all server tools, and constructs the MCP endpoint from a user-supplied platform rather than enforcing Reddit-only behavior. In a skill advertised as Reddit content analytics, this creates a scope-expansion/backdoor-like capability that lets the skill invoke unrelated KeyAPI tools and access data or actions outside the declared purpose.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code exposes discovery of all available MCP tools and arbitrary invocation via --list-tools, --schema, and --tool, which exceeds the stated Reddit analytics use case. That broadens the attack surface and enables capability enumeration and use of unrelated remote functions through the authenticated KeyAPI token.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The comments claim image-host handling is limited to TikTok, but the overall program still supports arbitrary platform selection and generic remote tool usage. This mismatch is dangerous because it can mislead reviewers and users into assuming narrower behavior than the code actually enforces, masking broader capability exposure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs users to cache API responses containing Reddit posts, comments, user activity, and potentially personalized home-feed data under a local .keyapi-cache directory, but it does not warn about the sensitivity, retention, or local disclosure risks of storing that data on disk. On shared machines or insecure workspaces, this can expose browsing interests, user profiling data, and collected content to other local users or downstream tooling.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.