← 返回 Skills 市场
Reddit Search
作者
Avital Yachin
· GitHub ↗
· v1.2.0
1383
总下载
2
收藏
10
当前安装
4
版本数
在 OpenClaw 中安装
/install reddit-api
功能描述
Reddit Search — Search posts, comments, users, and subreddits across 100M+ indexed Reddit entries. Find discussions, track topics, discover communities, and analyze engagement. No Reddit API key needed — works through Xpoz MCP with natural language queries.
安全使用建议
This skill appears to do what it says (calls Xpoz MCP via the mcporter CLI) but you should take a few precautions before installing: 1) Verify the mcporter npm package provenance (publisher, download counts, source repo) — npm packages run code on install and create binaries. 2) Inspect or vet the xpoz-setup skill (what OAuth scopes it requests, where tokens are stored) before authorizing; confirm you trust xpoz.ai and mcp.xpoz.ai. 3) Be aware that search results and CSV exports will be fetched from external URLs (S3 links) — do not auto-run or open downloaded files from unknown sources. 4) Because the registry summary omitted the SKILL.md's declared dependencies (xpoz-setup and network host), ask the publisher to correct metadata or provide source code/a homepage link for the mcporter package. If you cannot verify the npm package and the xpoz-setup flow, run the skill in a sandboxed environment or decline installation.
功能分析
Type: OpenClaw Skill
Name: reddit-api
Version: 1.2.0
The skill is classified as suspicious due to its reliance on installing and executing a third-party `mcporter` binary via `npm` (as specified in `SKILL.md`). This introduces a significant supply chain vulnerability, as the `mcporter` package itself could contain malicious code, leading to arbitrary code execution (RCE) on the agent's system. While the stated purpose of the skill (Reddit search via xpoz.ai) appears benign, the black-box nature of the `mcporter` binary and its communication with `mcp.xpoz.ai` represent an untrusted dependency and a potential attack vector, even without explicit malicious instructions in the provided files.
能力评估
Purpose & Capability
The name/description claim to search Reddit via Xpoz MCP without a Reddit API key. The SKILL.md consistently uses the mcporter CLI to call Xpoz endpoints (xpoz.getRedditPosts..., checkOperationStatus), which is coherent with the stated purpose. However, the registry metadata at the top-level omitted the SKILL.md's declared dependency on the xpoz-setup skill and the network host (mcp.xpoz.ai), which is an inconsistency that merits attention.
Instruction Scope
The instructions are narrowly scoped to using the mcporter CLI to call Xpoz MCP operations and to poll operation status (including receiving S3 download URLs). They do not instruct the agent to read unrelated local files or arbitrary environment variables. Note: SKILL.md expects you to run the separate xpoz-setup skill to perform OAuth-based auth — that external OAuth flow and the resulting credentials are required for normal operation even though the registry metadata did not declare them.
Install Mechanism
The install spec installs an npm package 'mcporter' which will create a mcporter binary. Installing arbitrary npm packages has moderate risk because packages can execute code on install and create binaries in PATH. The install source is the public npm registry (no explicit release URL), and the package provenance is unknown from the data provided. This is proportionate to the skill's need for a CLI but should be verified before installation.
Credentials
Top-level registry metadata lists no required env vars, but SKILL.md metadata and prose state that an Xpoz account and OAuth (via xpoz-setup) are required and that the skill needs network access to mcp.xpoz.ai. Requesting OAuth credentials for Xpoz is proportionate to the service; the problem is the mismatch between SKILL.md and the registry summary (undeclared dependency on xpoz-setup and network).
Persistence & Privilege
always:false and normal model invocation are used. The skill does install a binary (mcporter) but does not request permanent inclusion, system-wide config modification, or cross-skill credential access. No 'always: true' or other elevated persistence is requested.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install reddit-api - 安装完成后,直接呼叫该 Skill 的名称或使用
/reddit-api触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.2.0
Added setup section
v1.1.1
Trimmed SKILL.md
v1.1.0
Auto-install mcporter
v1.0.0
- Initial release of the reddit-api skill.
- Enables Reddit search across 100M+ posts, comments, users, and subreddits via Xpoz MCP with no Reddit API key required.
- Provides tools for keyword, user, and subreddit search, plus CSV export (up to 64K rows).
- Simple OAuth 2.1 authentication handled by the xpoz-setup skill.
- Supports advanced boolean queries and historical data back to 2019.
- Designed for easy integration with related social search and analytics skills.
元数据
常见问题
Reddit Search 是什么?
Reddit Search — Search posts, comments, users, and subreddits across 100M+ indexed Reddit entries. Find discussions, track topics, discover communities, and analyze engagement. No Reddit API key needed — works through Xpoz MCP with natural language queries. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1383 次。
如何安装 Reddit Search?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install reddit-api」即可一键安装,无需额外配置。
Reddit Search 是免费的吗?
是的,Reddit Search 完全免费(开源免费),可自由下载、安装和使用。
Reddit Search 支持哪些平台?
Reddit Search 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Reddit Search?
由 Avital Yachin(@atyachin)开发并维护,当前版本 v1.2.0。
推荐 Skills