ClawHub

Reddit (read only - no auth)

v1.0.0

Browse and search Reddit in read-only mode using public JSON endpoints. Use when the user asks to browse subreddits, search for posts by topic, inspect comment threads, or build a shortlist of links to review and reply to manually.

8· 3.5k·18 current·20 all-time
byTristan Manchester@tristanmanchester
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the implementation: the script queries public reddit.com JSON endpoints, lists/searches posts, and fetches comment threads. Declared runtime requirement (node) is appropriate. Minor mismatch: the code requires global fetch (Node.js 18+), but SKILL.md only lists 'node' without a minimum version.
Instruction Scope
SKILL.md instructions stay within the Reddit read-only scope and instruct only list/search/thread/comment-style operations. However, the script's buildUrl() will accept a full https?:// URL and will fetch it unchanged — so if a command or user-supplied argument contains a non-Reddit URL, the script could fetch arbitrary HTTP(S) endpoints (internal or external). The SKILL.md does not warn about this; practically the commands as documented usually build Reddit paths, but the full-URL passthrough is a capability mismatch that could be abused if an agent or user supplies unexpected input.
Install Mechanism
No install spec — instruction-only with an included Node script. Nothing is downloaded from external URLs or written to unexpected locations during install.
Credentials
No required credentials or secrets. Optional environment variables are non-sensitive tuning parameters (delays, timeout, user-agent). This is proportionate to a read-only scraper.
Persistence & Privilege
always is false and there are no requested config paths or system-wide changes. The skill does not request persistent privileges or modify other skills. Autonomous invocation is allowed (platform default) and is not by itself concerning here.
What to consider before installing
This skill appears to do what it says (read-only Reddit browsing) and requires only Node. Before installing: (1) confirm you run Node 18+ (the script uses the global fetch API); (2) review that you're comfortable running a local Node script that makes outbound HTTP(S) requests — the code will fetch any full URL if passed one, which could reach internal services if an input is malicious or misused; (3) there are no secrets requested and it does not post or modify Reddit content, but run it in a sandbox or with network controls if you’re concerned about arbitrary-host fetching; (4) if you want the skill to be stricter, ask the author to restrict buildUrl to reddit.com only and to state the Node version requirement in SKILL.md.

Like a lobster shell, security has layers — review code before you run it.

latestvk972v75z6vq0emgb6kxr711r3n7zzm99

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔎 Clawdis
Binsnode

Comments