Back to skill

Security audit

Reddit Cli

Security checks across malware telemetry and agentic risk

Overview

This is a read-only Reddit command-line helper, but it asks users to handle Reddit session cookies that should be treated like passwords.

Install only if you are comfortable giving the CLI access to your Reddit browser session. Treat REDDIT_SESSION and TOKEN_V2 like passwords, avoid committing or sharing shell profiles that contain them, prefer temporary environment variables or a secret store over ~/.bashrc, and rotate/log out of Reddit sessions if the values may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README instructs users to manually extract an authenticated Reddit browser cookie and persist it in shell startup files, effectively treating a session secret as a reusable API credential. That exposes users to account takeover risk if the cookie is mishandled, leaked via shell history, dotfiles, backups, logs, or local compromise, and the documentation does not clearly warn that this is highly sensitive authentication material.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to place live Reddit session cookies in ~/.bashrc, a persistent shell startup file, without prominently warning that these are sensitive authentication secrets. This increases the chance of accidental disclosure through dotfile backups, shell environment inheritance, local process inspection, shared accounts, or publication of configuration files, which could allow account takeover until the cookies expire.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This script automatically attaches Reddit session cookies from environment variables to outbound requests without any explicit warning, consent prompt, or scope limitation. Because these are high-value authentication credentials, users may unknowingly transmit active session cookies to Reddit through a third-party CLI, increasing the risk of account misuse if the tool is repurposed, logged, or later modified.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.