reddit-post-engine
Warn
Audited by Snyk on May 15, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 1.00). The skill's required workflow (Step 3 in SKILL.md) explicitly fetches subreddit rules and recent/top posts from Reddit's public API (e.g., https://www.reddit.com/r/{SUBREDDIT}/about/rules.json, /top.json, /about.json) and uses those user-generated, untrusted contents to determine tone, posting rules, and whether/how to include links—so third-party content directly influences agent decisions and actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill issues runtime fetches to Reddit (e.g. https://www.reddit.com/r/{SUBREDDIT}/about/rules.json, https://www.reddit.com/r/{SUBREDDIT}/top.json?t=week&limit=10, and https://www.reddit.com/r/{SUBREDDIT}/about.json) and injects the fetched subreddit rules/top-post content into the generation prompt (SUBREDDIT_TONE_NOTES) sent to Gemini, so external content fetched at runtime directly controls the agent's prompts.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata