ClawHub

Reddit Skills

v1.0.5

Reddit automation skill collection. Supports authentication, content publishing, search & discovery, social interactions, and compound operations. Triggered...

1· 27·0 current·0 all-time
byQingyuan Yang@1146345502
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill is described as a Reddit automation collection and the repo contains a Python CLI, a local WebSocket bridge server, and a Chrome extension that operates on reddit.com. Required binaries (python3) and dependencies (requests, websockets) match the declared functionality. There are no unrelated cloud credentials, binaries, or config paths requested that would contradict the stated purpose.
Instruction Scope
SKILL.md enforces using the project's CLI and a local Chrome extension to operate the user's logged-in Reddit session. That scope is consistent with the code, which drives the page DOM via evaluated JS and the extension/bridge. However, the extension requires high-privilege permissions (cookies, debugger, scripting, activeTab) and the skill uses the user's browser session implicitly as the 'credential' — both are sensitive and worth explicit user review. The README/skill claims 'no data exfiltration' and 'local only', but that assertion depends on the extension and background.js behaviour which should be verified.
Install Mechanism
There is no automatic install spec; the README instructs the user to download the repo and load the unpacked Chrome extension manually and run uv sync for Python deps. This manual installation reduces supply-chain risk but places the burden on the user to inspect the extension's code (background.js and manifest.json). The codebase does not appear to download arbitrary executables from unknown hosts; image downloader pulls images from arbitrary URLs (expected for image posts).
Credentials
The skill requests no environment variables or API keys; instead it uses the user's existing browser session (cookies) for authentication. That is proportionate to a tool that automates actions in the user's real account. Note: implicit use of session cookies is a sensitive privilege and should be treated like a credential — the extension can act as the account holder if it has the necessary capabilities.
Persistence & Privilege
The registry flags are normal (always: false; agent can invoke autonomously). The persistent component is a Chrome extension the user loads manually; this extension requires high privileges (cookies, debugger) and will run in the browser environment. Autonomous agent invocation combined with an extension that can act on the logged-in session increases potential blast radius if misused — not inherently malicious, but something to be aware of.
Assessment
This package appears to do what it claims (automate Reddit by driving your logged-in browser). Before installing, manually review the Chrome extension manifest and background.js to confirm it only talks to localhost and does not send data to remote servers. Understand that installing an extension with 'cookies' and 'debugger' permissions gives it access to your session and the ability to operate as your account — treat that like handing over a credential. If you are concerned, test on a throwaway Reddit account or in a dedicated browser profile. Also: ensure the local WebSocket port (default 9334) is only bound to localhost, confirm the CLI/bridge do not open external connections, and monitor network activity during first use. Finally, be aware the repo contains some minor issues (e.g., a truncated/typo'd CLI call in the provided snippet) so expect bugs; require the skill to prompt for explicit confirmation before publishing/commenting and avoid high-frequency or bulk actions that may trigger rate limits or platform moderation.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cnj7dwff5w6t9zxk4a2vj6984bp62

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🤖 Clawdis
OSmacOS · Linux
Binspython3

Comments