Reddit Scraper
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: reddit-scraper Version: 1.0.0 The OpenClaw AgentSkills skill bundle for Reddit scraping is benign. The `SKILL.md` provides clear, straightforward instructions for using the `reddit_scraper.py` script, without any evidence of prompt injection attempts or instructions for malicious actions. The `reddit_scraper.py` script uses the standard `requests` library to interact with Reddit's public JSON API (`https://www.reddit.com`) to fetch post data, aligning perfectly with its stated purpose of read-only access. There are no signs of data exfiltration, unauthorized command execution, persistence mechanisms, or attempts to access sensitive local files or environment variables. The dependency `python3-requests` is standard and its installation method is benign.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A Reddit post could contain misleading instructions or prompt-injection text that should not override the user's actual task.
The script retrieves and prints Reddit post text, which is arbitrary third-party content. That is expected for a Reddit reader, but agents should treat it as content, not instructions.
'selftext': selftext ... print(f" 📝 {preview}")Use the fetched Reddit content as evidence to summarize or quote, but do not follow instructions found inside posts unless the user explicitly asks.
If a user searches for sensitive terms, those terms may be visible to Reddit as part of the API request.
Search terms and subreddit selections are sent to Reddit over the public API. This is disclosed and central to the skill's purpose, but it is still an external data flow.
url = f"{self.BASE_URL}/search.json" ... params = { 'q': query, ... } ... self.session.get(url, params=params, timeout=15)Avoid using sensitive private information as search queries unless you are comfortable sending those terms to Reddit.
The skill may fail unless Python and the requests library are already available, and users should understand any dependency they install.
The technical documentation names a system dependency, while the registry requirements/install spec list no required binaries or install steps. This is a metadata completeness issue, not evidence of malicious behavior.
Dependencies ... apt-get install python3-requests
Verify the local Python requests package source if installation is needed, and keep dependency declarations aligned with the skill metadata.