Reddit Cli
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: reddit-cli Version: 1.0.2 The OpenClaw skill 'reddit-cli' is classified as benign. The `scripts/reddit-cli.js` file correctly implements a Reddit CLI, reading `REDDIT_SESSION` and `TOKEN_V2` environment variables as explicitly stated in `SKILL.md` and `README.md`. These cookies are used solely for authentication with `https://www.reddit.com` and are not exfiltrated to any other domain. There is no evidence of malicious execution, persistence, privilege escalation, obfuscation, or prompt injection attempts against the agent in any of the provided files.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can read these environment variables or shell startup files may be able to use the user's Reddit session until the cookies expire or are revoked.
The skill asks the user to provide Reddit browser session cookies, which are account authentication material. This is disclosed and used for the stated Reddit CLI purpose.
export REDDIT_SESSION="your_reddit_session_cookie" export TOKEN_V2="your_token_v2_cookie" # optional
Use this only on a trusted machine, avoid sharing shell profiles or logs containing these values, and log out or revoke sessions if the cookie may have been exposed.
If the remote GitHub file changes, a user following this install example could run different code than the code reviewed here.
The README gives a user-directed download from a mutable GitHub branch without a pinned commit or checksum. This is not automatic behavior in the reviewed skill, but users following the README could fetch code that differs from the reviewed artifact.
curl -o reddit-cli.js https://raw.githubusercontent.com/kelsia14/reddit-cli/main/scripts/reddit-cli.js
Prefer the reviewed packaged script, or use a pinned commit and verify the file contents before running it.