Reddit Cli
v1.0.2Reddit CLI using cookies for authentication. Read posts, search, and get subreddit info.
⭐ 4· 3.6k·20 current·20 all-time
bykelsia@kelsia14
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description match the code and SKILL.md: the script performs GET requests to reddit.com and exposes commands for posts, search, and subreddit info. However, the package metadata lists no required env vars or binaries, while the SKILL.md and script rely on REDDIT_SESSION and optional TOKEN_V2 and require Node (a JS script). The omission is an inconsistency (likely sloppy metadata) but not evidence of malicious intent.
Instruction Scope
Runtime instructions are narrowly scoped: they tell the user how to extract reddit_session (and optionally token_v2) from browser cookies, set them as environment variables, and run the CLI. The instructions do not ask the agent to read unrelated files, exfiltrate data, or contact unexpected endpoints; the code only requests reddit.com endpoints. Note: instructing users to copy session cookies is inherently sensitive.
Install Mechanism
There is no install spec (instruction-only), which minimizes installer risk. The repository includes a single Node script; README suggests downloading from raw.githubusercontent.com (a standard host). The package does not declare Node as a required binary despite being a Node script — a minor but relevant omission.
Credentials
The functionality legitimately requires reddit_session and optionally token_v2 cookies, which are sensitive credentials. Those env vars are described in SKILL.md/README and used by the script, but the skill metadata did not list them as required. Storing session cookies in ~/.bashrc persists sensitive credentials in plaintext on disk and increases risk if the machine is compromised; users should understand that these are effectively authentication credentials and treat them accordingly.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and does not ask for system-wide configuration access. It appears to operate only when invoked.
Assessment
This skill is internally coherent and implements a read-only Reddit CLI that uses your browser session cookies, but take these precautions before installing: (1) verify the source — prefer the GitHub repo URL and a trusted author; (2) don't paste long-lived session cookies into global shell rc files if you can avoid it — consider using a short-lived session, a dedicated account, or a container/VM; (3) be aware that REDDIT_SESSION and token_v2 are sensitive credentials: anyone with them can act as your session; (4) confirm you have Node.js installed (the script is a Node program); (5) review the included script yourself (it only calls reddit.com endpoints), and if you can't review code, run it in an isolated environment; (6) consider using Reddit's official OAuth flow (or read-only public endpoints) instead of exporting browser cookies for better security.Like a lobster shell, security has layers — review code before you run it.
latestvk97a1ynv17bqns63qbg34yhnjx7zx78z
License
MIT-0
Free to use, modify, and redistribute. No attribution required.