RequestHunt Skill

Name: opc-skills/requesthunt
Author: resciencelab

View on GitHub↗

Share on X Share on LinkedIn Share on Bluesky

100Critical

This skill allows remote code execution and is vulnerable to shell

ThreatsCI SM CS BC S HITL

Behavior Analysis

Mismatch detected — The skill claims to 'generate user demand research reports,' but it primarily provides tools for data collection and listing. The actual analytical content and structured report generation (e.g., 'Key Findings,' 'Pain Points Analysis') is presented as a manual process using a Markdown template, not an automated function of the skill.

Claims to do

RequestHunt Skill: Generate user demand research reports by collecting and analyzing real user feedback from Reddit, X (Twitter), and GitHub.

Actually does

This skill installs the `requesthunt` CLI from `https://requesthunt.com/cli` and authenticates with `https://requesthunt.com/device` or a manual API key. It then uses the `requesthunt` CLI to scrape, search, and list user feedback data from Reddit, X, and GitHub via `https://requesthunt.com`. It provides commands to manage data collection and view account status.

Threat Analysis

AI Agent Traps ↗Scanned 4/14/2026

Content InjectionPerceptionclean

Semantic ManipulationReasoning1 finding

Cognitive StateMemory & Learningclean

Behavioural ControlAction4 findings

SystemicMulti-Agent Dynamicsclean

Human-in-the-LoopHuman Overseerclean

Skill Info

Nameresciencelab/opc-skills/requesthunt

Registrygithub

Versionb2eede95dfd2

PURLpkg:github/resciencelab/opc-skills@b2eede95dfd2?skill=requesthunt

Stars766

Installs909

Source

Repository ↗SKILL.md ↗

SHA-25665265869dfc8...

SHA-14c921814f061...

MD589b8041bfeb4...

TLSH1e91659f5b1c...

ssdeep96:ECt08yp75...

Size4,309 bytes

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

GitHub

https://github.com/resciencelab/opc-skills/tree/main/skills/requesthunt

909 installs

Claude CodeDocs

/plugin marketplace add resciencelab/opc-skills

/plugin install requesthunt@resciencelab/opc-skills

Skills.shDocs

npx skills add https://github.com/resciencelab/opc-skills --skill requesthunt

Assessments (2)

AI Agent Traps ↗

Remote code download and execution detectedcriticalcommand execution

Remote code download and execution detected

100% confidenceline 14

curl -fsSL https://requesthunt.com/cli | sh

Command Execution with User-Controlled Inputmediumcommand execution

The skill constructs and executes shell commands using arguments that are likely derived from user-provided strings (e.g., search queries, topics, platforms). If the `requesthunt` CLI does not properly sanitize these inputs, it could lead to shell injection vulnerabilities, allowing an attacker to execute arbitrary commands.

90% confidenceline 51

requesthunt scrape start "ai-coding-assistant" --platforms reddit,x,github --depth 2

Potential Resource Abuse via Scrape Depthlowresource abuse

The `requesthunt scrape` command includes a `--depth` parameter. If an excessively large or unconstrained value is provided for this parameter, it could potentially lead to excessive data collection, network requests, or resource consumption on the `requesthunt` service or the agent's environment.

70% confidenceline 111

requesthunt scrape start "developer-tools" --depth 1

External API Key Management Instructionsinfohardcoded secrets

The skill provides instructions for configuring an API key (`requesthunt config set-key`). While this is necessary for functionality, it highlights a sensitive area where actual API keys could be mishandled if not securely managed by the agent's environment or if a real key were to be inadvertently exposed.

90% confidenceline 26

requesthunt config set-key rh_live_your_key

Description Mismatchmediumdescription mismatch

The skill claims to 'generate user demand research reports,' but it primarily provides tools for data collection and listing. The actual analytical content and structured report generation (e.g., 'Key Findings,' 'Pain Points Analysis') is presented as a manual process using a Markdown template, not an automated function of the skill.

85% confidence

The 'Step 3: Generate Report' section shows a Markdown template and states 'Analyze collected data and generate a structured Markdown report,' implying human analysis, not an automated command to produce the analytical sections.

Version History (2)

381f07d0127a100Critical4/15/2026 b2eede95dfd2current100Critical4/14/2026

Dependencies (9)

requesthunt.claude-plugin/marketplace.jsonnot scanned

domain-hunter.claude-plugin/marketplace.jsonnot scanned

logo-creator.claude-plugin/marketplace.jsonnot scanned

banner-creator.claude-plugin/marketplace.jsonnot scanned

nanobanana.claude-plugin/marketplace.jsonnot scanned

reddit.claude-plugin/marketplace.jsonnot scanned

twitter.claude-plugin/marketplace.jsonnot scanned

producthunt.claude-plugin/marketplace.jsonnot scanned

seo-geo.claude-plugin/marketplace.jsonnot scanned

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/github/resciencelab/opc-skills/requesthunt.svg)](https://mondoo.com/ai-agent-security/skills/github/resciencelab/opc-skills/requesthunt)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/github/resciencelab/opc-skills/requesthunt"><img src="https://mondoo.com/ai-agent-security/api/badge/github/resciencelab/opc-skills/requesthunt.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/github/resciencelab/opc-skills/requesthunt.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow