ClawHub

Reddit Archive

Security checks across malware telemetry and agentic risk

Overview

This Reddit archiving skill mostly does what it says, but it reads local browser login cookies by default to download Reddit videos.

Install only if you are comfortable with yt-dlp reading cookies from your local browser profile. Use REDDIT_COOKIES_BROWSER=none for image-only or non-Reddit-video archives, consider a separate browser profile or Reddit account for downloads, and pin dependency versions before using it in a repeatable or sensitive environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script is designed to pull browser-derived Reddit cookies via yt-dlp's --cookies-from-browser option in order to access media. Even if intended to make authenticated downloads work, this introduces credential-access behavior not clearly disclosed by the tool's primary purpose and expands trust from public scraping to local session extraction.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs users to remain logged into Reddit and says the script will automatically load browser cookies for yt-dlp, but it does not clearly warn that this accesses authenticated browser session data and may expose account-scoped access to a third-party downloader. Even if intended for legitimate video access, silent or underexplained cookie use increases the risk of credential misuse, overcollection, or accidental disclosure in logs/process arguments.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code silently enables reading cookies from a local browser profile unless the environment variable disables it, which means users may trigger local session access without an explicit consent flow. In a tool marketed as an archive/downloader, hidden credential use is a meaningful security and privacy concern even if the cookies are intended only for authenticated Reddit access.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
yt-dlp
Confidence
97% confidence
Finding
requests

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
yt-dlp
Confidence
97% confidence
Finding
yt-dlp

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
95% confidence
Finding
requests

Known Vulnerable Dependency: yt-dlp — 7 advisory(ies): CVE-2023-46121 (yt-dlp Generic Extractor MITM Vulnerability via Arbitrary Proxy Injection); GHSA-3v33-3wmw-3785 (yt-dlp has dependency on potentially malicious third-party code in Douyu extract); CVE-2023-40581 ( yt-dlp on Windows vulnerable to `--exec` command injection when using `%q`) +4 more

High
Category
Supply Chain
Confidence
94% confidence
Finding
yt-dlp

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal