Back to skill

Security audit

Reddit Skills

Security checks across malware telemetry and agentic risk

Overview

This Reddit automation skill is understandable in purpose, but it gives a local browser bridge powerful control over your logged-in Reddit session and needs careful review before use.

Install only if you are comfortable giving a local extension and Python bridge control over your logged-in Reddit browser session. Use a dedicated browser profile or secondary Reddit account, keep the bridge server closed when not actively using it, review every post/comment/vote/save before execution, and avoid leaving this enabled around untrusted local processes. Static scan was clean and VirusTotal was pending, but the Review verdict comes from the artifact-backed overbroad bridge and account-action controls, not malware telemetry.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (29)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares installation and runtime behavior that uses shell execution and network-capable components, but it does not expose an explicit permission model for those capabilities. That gap reduces transparency and weakens safety controls, making it easier for a broadly-triggered skill to perform actions users or orchestrators may not expect.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The declared description frames the skill as Reddit automation, but the documented behavior includes highly sensitive capabilities: reading session cookies, executing arbitrary JavaScript in the browser context, running a localhost bridge, downloading arbitrary remote files, and auto-launching Chrome/processes. Those powers materially exceed a normal 'post/search/comment' abstraction and increase the risk of account compromise, data access, and unintended code-driven browser actions.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The extension opens an unauthenticated WebSocket bridge on localhost and accepts arbitrary commands from whatever process can bind or connect through that local channel. In a browser extension with cookie, tab, scripting, and debugger privileges, this effectively turns the extension into a local RPC backdoor that can automate Reddit actions and invoke more dangerous primitives without meaningful trust validation.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The evaluate path exposes arbitrary JavaScript execution in a Reddit tab through the Chrome debugger Runtime.evaluate API. Combined with the localhost bridge, any local process that can send messages can execute script in the logged-in Reddit session, read page data, trigger actions as the user, and potentially chain into credential or token theft from page context.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The get_cookies handler accepts a caller-supplied domain, so the bridge can request cookies for arbitrary domains rather than Reddit only. If the extension has broad cookie permissions in the manifest, a local attacker could exfiltrate authentication cookies and session identifiers for unrelated sites, making this a direct credential theft vector.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The file header claims cookie access is limited to reddit.com, but the implementation allows any requested domain. This mismatch is dangerous because it masks the true capability of the code, reducing reviewer suspicion and increasing the chance that sensitive cross-site cookie access is overlooked.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The header comment materially understates what this module can do: while it may avoid direct network APIs, it can synthesize clicks, keypresses, text entry, and DOM removal inside reddit.com, which can trigger authenticated site actions such as posting, voting, commenting, or dismissing safeguards. In a Reddit automation skill, this misleading documentation is dangerous because it can cause reviewers or downstream code to treat a high-privilege action layer as harmless DOM-only logic.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The manifest requests the Chrome "debugger" permission even though the stated purpose is a Reddit automation bridge, and no justification is present in the file. This permission is highly sensitive because it can inspect and control browser tabs, network activity, and page state, substantially expanding what a compromised or overly permissive extension could do beyond normal Reddit automation.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The CLI performs local side effects beyond normal Reddit actions by automatically starting a local server and launching a browser/extension connection flow. In an agent setting, these undeclared host actions can violate least surprise and broaden the skill's capability surface, making misuse or unexpected persistence more dangerous than in a normal manual CLI.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The function advertises both save and unsave behavior, but the unsave flag is never used to choose a different UI control or verify the current state. In an automation skill that performs real Reddit account actions, this can cause unintended state changes and misrepresent to the caller that an item was unsaved when it may actually have been saved again.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README documents actions such as commenting, upvoting, downvoting, saving, and submitting content using the user's real logged-in Reddit account, but the examples do not consistently foreground that these are real, user-visible account actions with potentially irreversible or reputation-impacting consequences. In an agent-skill context, this increases the chance that a user or downstream agent treats examples as harmless demos and triggers unintended live actions on a real account.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The CLI reference lists live commands for posting, commenting, voting, and saving without a clear repeated warning in that section that they execute against the user's real Reddit account. Because the project is designed for AI-agent automation and chained natural-language execution, insufficient safety labeling in command docs materially raises the risk of accidental execution of real, user-visible actions.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger description is broad enough to activate on many generic Reddit-related requests, which increases the chance the skill is selected in situations where the user did not intend account-affecting automation. In a skill that can browse, post, vote, save, and manipulate an authenticated session, overbroad activation meaningfully raises misuse and accidental-action risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill requires confirmation for publishing and commenting, but not for other state-changing actions like upvote, downvote, save, or logout. Because these operations alter the user's Reddit account state and reputation signals, omitting equivalent confirmation creates a pathway for unintended or socially harmful actions under an authenticated session.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Sensitive cookie access is performed silently and the results are sent back over the local bridge without any user-facing disclosure or confirmation. In the context of a background extension service, this means a user may have no indication that session material is being accessed and potentially exposed to another local process.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Arbitrary debugger-based JavaScript execution occurs with no user confirmation, warning, or visible prompt. Because this runs in the context of the user's Reddit tab, it can invisibly perform account actions, scrape data, or manipulate the page in ways the user never approved.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The extension can set file input contents on a page through the debugger without any user-facing warning. This enables silent preparation of uploads from local file paths, which can facilitate unintended disclosure of local files if a local controller abuses the bridge.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The remove_element command allows arbitrary deletion of any DOM node matched by a caller-supplied selector, with no validation, scoping, or user disclosure. In this skill's context, that can hide warnings, consent dialogs, moderation notices, or UI context before synthetic input commands are used, making unsafe or unauthorized Reddit actions easier to carry out.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The extension requests a broad set of powerful permissions, including cookies, scripting, tabs, and debugger access, plus localhost WebSocket connectivity, without any user-facing disclosure in the manifest content reviewed here. In the context of a Reddit automation bridge, this combination increases risk because users may not understand that the extension can inject scripts, access session data, and communicate with a local process, which could enable account takeover or local-to-browser abuse if the bridge is compromised.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The delete-cookies/logout command performs a destructive session action immediately, without any confirmation prompt or explicit acknowledgment. In an automated agent context, this can unexpectedly terminate the user's Reddit session and disrupt other browser activity, making accidental invocation more harmful.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The publish functions directly perform irreversible Reddit posting actions once called, with no in-skill confirmation gate, preview, or explicit acknowledgement from the user. In an automation skill that can operate social accounts, this increases the risk of accidental, coerced, or prompt-injected posting on behalf of the user.

Missing User Warnings

High
Confidence
98% confidence
Finding
The code automatically detects Reddit's 'Your post may break rules' warning and dismisses it by clicking 'Submit without editing,' bypassing a platform safety checkpoint without surfacing the warning to the user. In the context of a Reddit automation skill, this is especially risky because it can cause policy-violating, spammy, or reputation-damaging content to be published despite Reddit raising a compliance concern.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
This function triggers a state-changing Reddit action through brittle DOM text matching and then reports success without confirming what action was actually taken. In the context of a social-media automation skill, silent or ambiguous state changes are security-relevant because they can manipulate a user's account state without reliable disclosure or traceability.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger description is broad enough to activate on many ordinary Reddit-related requests, which can cause this higher-privilege compound automation skill to be selected when a narrower, safer skill would be more appropriate. In this context, overbroad activation increases the chance of unintended multi-step actions involving search, engagement, or posting workflows, especially because the skill includes social interaction and publishing capabilities.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The intent routing examples use vague phrases like 'help me post' and 'interact with community' without precise boundaries, making it easy for unrelated or insufficiently specific user requests to route into an automation workflow. Because this skill can culminate in comments, submissions, upvotes, and saves, ambiguous routing raises the risk of unintended account actions, policy violations, or user confusion about what the agent is authorized to do.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.