Reddit (read only - no auth)
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: reddit-readonly Version: 1.0.0 The skill bundle is clearly aligned with its stated purpose of read-only Reddit browsing. The `SKILL.md` explicitly states "Read-only only. This skill never posts, replies, votes, or moderates," and the `scripts/reddit-readonly.mjs` code strictly adheres to this, only making `fetch` requests to `https://www.reddit.com` and processing public JSON data. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, prompt injection attempts against the agent, or obfuscation. The script uses environment variables for configuration and clamps input parameters, demonstrating responsible design.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Reddit content could try to influence the agent if treated as instructions rather than as source material.
The tool intentionally returns user-generated Reddit post and comment text to the agent, which may contain untrusted instructions or misleading content.
selftext_snippet: d.selftext ? String(d.selftext).slice(0, 800) : null, ... body_snippet: body ? String(body).slice(0, maxChars) : null
Treat Reddit titles, posts, and comments as untrusted data; do not follow instructions found inside retrieved Reddit content unless the user explicitly asks.
Your subreddit names, search terms, and requested Reddit URLs may be sent to Reddit’s public endpoints.
The script makes outbound network requests to Reddit using user-directed search/subreddit inputs. This is central to the skill’s stated purpose and appears read-only.
const BASE_URL = 'https://www.reddit.com'; ... const res = await fetch(url, { headers: { 'User-Agent': DEFAULTS.userAgent, 'Accept': 'application/json' }Use this for public Reddit browsing only, and avoid putting private or sensitive information into search queries.
You have less external context for who maintains the skill or where to verify its source.
The skill has no declared upstream source or homepage, which limits provenance verification even though no risky install mechanism is shown.
Source: unknown; Homepage: none
Review the included script before installing and prefer trusted publishers or versions with clear source provenance.