ClawHub

Reddit Assistant

v1.0.0

Reddit content creation assistant for indie developers and product builders. Creates authentic posts, researches communities, tracks real performance data vi...

0· 211·1 current·1 all-time
by@edisonchenai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The description says it 'tracks real performance data via Reddit API' and provides many scripts/commands that imply interaction with Reddit and local state, but the skill declares no required credentials, no primary credential, and contains no code files. Either the skill expects external code/config to already exist (not included), or it omits necessary credential requirements—both are incoherent with the claimed purpose.
!
Instruction Scope
SKILL.md explicitly instructs the agent to run arbitrary local commands (bash scripts/check_env.sh, python3 reddit-assistant.py status, various scripts/* .py), and to read and write files under memory/ and references/. Those steps can access or modify local files (including potential secrets) and execute arbitrary code. The instructions also reference using the Reddit API but do not explain where API credentials come from.
Install Mechanism
No install spec (instruction-only), which is low install-risk. However, the instructions assume the presence of many scripts and a python program that are not provided in the skill bundle; this mismatch is notable (either the skill is a thin wrapper around an external repo, or required code is missing).
!
Credentials
The skill declares no required environment variables or credentials, yet it expects to call the Reddit API and to run scripts that likely need API tokens or OAuth credentials. It also reads/writes memory/config.json which may contain secrets. Requesting zero credentials while performing API operations is disproportionate and ambiguous.
Persistence & Privilege
always:false (normal). The skill allows Bash, Read, Write tools and instructs persistent file reads/writes in memory/; autonomous invocation is allowed by default—combined with the ability to run local scripts and modify files, this raises operational risk if you allow the agent to run without review.
What to consider before installing
This skill currently reads and runs local scripts and claims to use the Reddit API, but the bundle contains no code, no install instructions, and no credential requirements—this is inconsistent. Before installing or enabling it: 1) Ask the author for the source repo or the missing scripts (scripts/, reddit-assistant.py, references/, memory/). 2) Verify how Reddit credentials are provided (client id/secret, refresh token); do not provide credentials until you confirm where they are stored and how they're used. 3) Inspect scripts/check_env.sh and any Python scripts to ensure they do only what you expect (no network exfiltration, no arbitrary shell execution). 4) If you must test, run it in an isolated environment or container and avoid running it with elevated privileges. 5) Consider denying automatic execution of Bash by the agent until you can review the code. The current state is ambiguous and worth clarifying before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e34anw7xag0h2eestd50zw982ebg8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments