Skillv1.0.0

ClawScan security

Reddit Master — The Complete Agent Playbook · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 20, 2026, 6:30 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: This skill is an instruction-only Reddit growth playbook whose requirements and instructions match its stated purpose; it asks for no credentials or installs and contains no hidden code, but it provides prescriptive guidance that could be used to evade moderation or automate manipulative behavior, so caution is warranted before automating it.
Guidance: This skill is internally consistent and doesn't request credentials or install software, so the technical risk is low. However, the content explicitly teaches techniques to avoid Reddit moderation and exploit ranking signals (timing, rapid early upvotes, shadowban checks). Before installing or letting an agent act on this: - Do not provide your Reddit credentials or OAuth tokens to the skill. - Avoid enabling autonomous agent actions that would post or vote on your behalf; use the playbook manually instead. - Be aware this guidance could violate Reddit's terms of service or community rules if used to manipulate votes or evade moderation—using it may risk account suspension. - If a future version adds code, network calls, or requests Reddit credentials, treat that as suspicious and re-evaluate (that change would raise the risk level).
Findings: [no-regex-findings] expected: The scanner found no code or regex hits. This is expected because the skill is instruction-only (SKILL.md only) and contains no executable files for static analysis.

Review Dimensions

Purpose & Capability: okThe name and description promise a Reddit growth playbook and the SKILL.md is exactly that: step‑by‑step posting/commenting guidance. There are no unrelated required binaries, environment variables, or install steps. The requested capabilities are proportionate to the stated purpose.
Instruction Scope: noteAll runtime content is behavioral guidance (when/how to comment/post, timing, subreddit etiquette, and how to check/avoid shadowbans). The instructions do not ask the agent to read local files, environment variables, or system state. However, the playbook explicitly describes tactics to avoid detection and exploit early-upvote dynamics; while coherent with its purpose, these are instructions for evasion/manipulation of platform systems and merit caution if the agent is allowed to act autonomously on behalf of a user.
Install Mechanism: okThere is no install spec and no code files—this is instruction-only. That minimizes technical risk because nothing will be written to disk or executed by default.
Credentials: okThe skill requests no environment variables, credentials, or config paths. Nothing in the manifest asks for unrelated secrets or access.
Persistence & Privilege: okalways is false and the skill does not request elevated persistence or modify other skills. Model invocation is enabled by default (normal). If you permit the agent to act autonomously, it could follow these behavioral instructions without extra technical privileges—consider that behavioral automation is where risk lies, not system-level privileges.