ClawHub

Reddit Research But Free

Security checks across malware telemetry and agentic risk

Overview

This skill is a read-only Reddit research tool with disclosed network providers and local cache/save behavior, with privacy caveats but no evidence of deception or harmful actions.

Install this if you are comfortable with Reddit search terms, subreddit names, usernames, and thread URLs being sent to Reddit or the selected archive provider. Avoid archive-provider searches for sensitive investigations unless that exposure is acceptable, clear the cache for sensitive work, and use --save/watchlist only when you want local persistence.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The invocation text is broad enough to match generic requests like 'research any topic' or 'find solutions to problems,' which can cause over-triggering outside narrowly intended Reddit use. Overbroad activation increases the chance the agent unnecessarily sends user queries to external services or uses Reddit-derived content when a safer or more appropriate tool should be chosen.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documented `--save` option indicates the skill can write fetched results to local storage, but the user-facing description does not prominently warn about local persistence. This can create privacy and data-handling risks if sensitive queries, retrieved content, or research outputs are written to disk without explicit user awareness.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This file sends user-supplied Reddit search terms and filters to third-party archival services (PullPush and Arctic Shift) without any indication of user consent, disclosure, or provider selection safeguards in the API layer. In a research skill, queries may contain sensitive investigative topics, usernames, or subjects, so silently transmitting them to additional external providers creates a real privacy and data-handling risk even if it is not code-execution related.

External Transmission

Medium
Category
Data Exfiltration
Content
if (before) params.before = before;

  const qs = new URLSearchParams(params).toString();
  const res = await fetch(`https://api.pullpush.io/reddit/search/submission/?${qs}`, {
    headers: { "User-Agent": USER_AGENT },
    signal: AbortSignal.timeout(15000),
  });
Confidence
94% confidence
Finding
https://api.pullpush.io/

External Transmission

Medium
Category
Data Exfiltration
Content
if (subreddit) params.subreddit = subreddit;

  const qs = new URLSearchParams(params).toString();
  const res = await fetch(`https://api.pullpush.io/reddit/search/comment/?${qs}`, {
    headers: { "User-Agent": USER_AGENT },
    signal: AbortSignal.timeout(15000),
  });
Confidence
94% confidence
Finding
https://api.pullpush.io/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal