reddit-insights

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt instructs the user to copy their API key into MCP configuration files (showing an env field like "REDDIT_INSIGHTS_API_KEY": "your_api_key_here"), which encourages embedding the secret verbatim in config or agent-generated output and therefore can require the LLM to handle/output secret values directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's SKILL.md and SKILL-OC.md explicitly call tools like reddit_search and reddit_get_subreddit that fetch live, public Reddit posts/URLs (user-generated, untrusted content) and instruct the agent to read, analyze, and synthesize those posts into decisions and follow-up actions, so third-party content can materially influence tool use and behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's setup requires running "npx reddit-insights-mcp" (which fetches and executes remote code from the npm registry at runtime) and links to https://reddit-insights.com for API setup, so the npx/npm fetch is a runtime external dependency that executes remote code.