WitPulse-redditnews
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill fetches public Reddit RSS headlines and runs simple local scripts; no credential use, hidden exfiltration, or destructive behavior is evident, though users should notice the script execution, network access, and stored Reddit content.
This appears safe to install if you are comfortable with a skill that runs its included scripts, contacts Reddit, and stores fetched headlines locally. Before using it, review config.json to limit the subreddit list to topics you want, and treat all fetched headlines and links as unverified external content.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may expect a text-only skill but will actually be installing a package that includes local scripts.
The package provenance and install metadata are sparse and do not fully reflect that executable scripts are included, although the script contents are provided for review.
Source: unknown; Homepage: none ... No install spec — this is an instruction-only skill ... Code file presence 6 code file(s)
Review the included scripts before running them and prefer packages with clear source/provenance metadata.
Running the skill will execute its included scripts on the local machine.
The documented workflow executes local Python scripts via a Bash wrapper. This is disclosed and aligned with the skill purpose, but it is still local code execution.
python3 ~/.agents/skills/WitPulse-redditnews/scripts/fetch_reddit.py python3 ~/.agents/skills/WitPulse-redditnews/scripts/curator.py
Run it only from the expected installed skill directory and after reviewing the visible script contents.
Using the skill contacts Reddit for each configured subreddit, including the broader default list in config.json.
The skill uses the configured subreddit list to make outbound web requests to Reddit RSS feeds. This is expected for the stated Reddit news purpose.
sources = [f"https://www.reddit.com/{sub}/.rss" for sub in config.get("subreddits", [])]Review and trim config.json to the topics you actually want the skill to fetch.
A misleading or malicious Reddit title could be repeated or summarized by the agent if treated as trustworthy content.
Public Reddit titles and links are stored locally and later used for output/curation, so untrusted external text can enter the agent's working context.
with open(OUTPUT_FILE, "w", encoding="utf-8") as f:
for title, link in items[:20]:
f.write(f"{title}|{link}\n")Treat fetched headlines as untrusted news content, verify links before relying on them, and avoid letting headline text override user instructions.