reddit-post-finder
Pass
Audited by Gen Agent Trust Hub on Apr 12, 2026
Risk Level: SAFECREDENTIALS_UNSAFEEXTERNAL_DOWNLOADS
Full Analysis
- [CREDENTIALS_UNSAFE]: The script
scripts/search_reddit.pyhandles sensitive API tokens (APIFY_API_TOKENorGOOSEWORKS_API_KEY) by reading them from environment variables. These tokens are transmitted as query parameters in HTTP requests toapi.apify.comorapi.gooseworks.ai. While this is a common pattern for some APIs, it is a minor concern as tokens in URLs may be recorded in server or proxy logs. - [EXTERNAL_DOWNLOADS]: The skill makes network requests to
api.apify.com(a well-known web scraping service) andapi.gooseworks.ai(the author's own API proxy). These connections are intended and necessary for the skill's primary functionality of retrieving Reddit data. - [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted content from Reddit posts and comments.
- Ingestion points: Untrusted data enters the agent context via the Apify dataset items endpoint in
scripts/search_reddit.py. - Boundary markers: No boundary markers or specific warnings are used to encapsulate the scraped content.
- Capability inventory: The script performs network requests and prints output to the console.
- Sanitization: No sanitization is performed on the scraped content (title and body). However, the risk is low because the script only filters and prints the data, rather than using it to dynamically construct commands or sensitive API calls.
Audit Metadata