ClawHub

Reddit (Agent-First)

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Reddit research CLI integration, with expected API-key use and external lookups that users should understand before installing.

Install only if you trust the ReddGrow service and @reddgrow/cli package. Treat subreddit names, usernames, domains, URLs, post IDs, and search queries as data sent to ReddGrow, avoid sensitive internal targets unless approved, and monitor API key and credit usage for larger batches.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill description is unusually broad and can trigger on many generic Reddit-related research, moderation, marketing, URL, and profile tasks, increasing the chance the agent invokes an external API-backed tool in situations where the user did not explicitly request it. In this context, over-broad routing is dangerous because the tool sends queries and identifiers to a third-party service and may cause unnecessary data disclosure, unintended spending, or unreviewed external lookups.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The setup and command documentation describe authentication and data retrieval but do not clearly warn that subreddit names, usernames, domains, URLs, post identifiers, and search queries are transmitted to an external service. In an agent setting, this omission can lead users or orchestrators to unknowingly send sensitive investigation targets, internal URLs, or proprietary research terms to a third party, creating privacy, confidentiality, and compliance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal