Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Reddit Curator
v1.0.0Curates and summarizes top posts daily from your chosen subreddits, filtering by upvotes and keywords, and delivers a clean Reddit digest to email or Telegram.
⭐ 0· 56·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
SKILL.md describes a Reddit curator that legitimately needs Reddit API credentials and delivery credentials (Telegram/email). However README claims 'read-only access ... without requiring Reddit API auth', which contradicts SKILL.md. Additionally SKILL.md includes features like 'Saved Posts Sync' (requires write/save permissions) that are not aligned with the README's read-only claim.
Instruction Scope
Runtime instructions explicitly require Reddit client_id/client_secret/username/password and show a curator-config.json that stores them in plaintext. The instructions cover scanning subreddits, fetching posts, summarizing (optionally via external LLM APIs), and delivering to external endpoints. They do not instruct reading arbitrary system files, but they are permissive about storing sensitive credentials in a config file and mention write operations (saving posts) without clearly specifying required API scopes or safety checks.
Install Mechanism
This is instruction-only (no install spec and no code files beyond docs), which is lower-risk. However README suggests cloning a GitHub repo (https://github.com/proceedinghumbly/reddit-curator.git) even though the registry entry contains no installable code; that discrepancy should be resolved before trusting any external install source.
Credentials
Registry metadata lists no required env vars, but SKILL.md expects Reddit credentials (client_id, client_secret, username, password) and optionally OpenAI/Anthropic API keys and delivery tokens. Requesting a full Reddit username+password is sensitive but consistent with the 'script' app flow; however the skill does not declare these as required in metadata and shows storing them in a plaintext JSON config — this is disproportionate from a security/manifest perspective and unclear about required scopes (read vs write).
Persistence & Privilege
always:false and normal model invocation are used (no forced always-on privilege). The skill does not request to modify other skills or system-wide settings in the docs. The only persistence concern is that the instructions encourage storing credentials in curator-config.json and may perform write actions on the Reddit account (saved posts sync).
What to consider before installing
This skill is plausibly what it says (curates Reddit and delivers digests) but the documentation is inconsistent and asks you to provide highly sensitive credentials. Before installing: 1) Confirm the real source repository and review its code — do not trust the README's clone URL without checking it. 2) Ask the author why README claims 'no auth' while SKILL.md requires full Reddit credentials and why write features (saving posts) are present; require a clear list of OAuth scopes. 3) Prefer creating a dedicated Reddit account and an app with the minimum scopes, and avoid reusing your main Reddit password. 4) Do NOT store credentials in plaintext files on shared machines; use a secrets manager or the platform's secure config. 5) If you need enhanced summaries, provide LLM keys only if you understand billing and data exposure to those providers. If the author cannot resolve the README/manifest inconsistencies or provide a reputable code repo to audit, treat this skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
agentvk976fyw2rnhy6nmp88752h73gx83n77jbackupvk976fyw2rnhy6nmp88752h73gx83n77jhermesvk976fyw2rnhy6nmp88752h73gx83n77jlatestvk976fyw2rnhy6nmp88752h73gx83n77jopenclawvk976fyw2rnhy6nmp88752h73gx83n77jopsvk976fyw2rnhy6nmp88752h73gx83n77jutilityvk976fyw2rnhy6nmp88752h73gx83n77j
License
MIT-0
Free to use, modify, and redistribute. No attribution required.