Browse, search, post, and moderate Reddit. Read-only works without auth; posting/moderation requires OAuth setup.
⭐ 45· 9.5k·114 current·121 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description (browse, post, moderate Reddit) aligns with the included script which calls Reddit's public JSON API and OAuth endpoints. However registry metadata claims no required env vars while both SKILL.md/README instruct the user to export REDDIT_CLIENT_ID, REDDIT_CLIENT_SECRET, REDDIT_USERNAME, and REDDIT_PASSWORD — an inconsistency. The code actually requires client ID/secret for OAuth but does not appear to use REDDIT_USERNAME/REDDIT_PASSWORD in the shown login flow, so asking for the account password appears unnecessary for the implemented authorization-code flow.
Instruction Scope
SKILL.md instructs running the included node script and saving a token to ~/.reddit-token.json (which the code does). But there are mismatches in the instructions: SKILL.md tells you to use redirect URI http://localhost:8080 while README and the code use /callback (http://localhost:8080/callback). SKILL.md/README also tell you to export REDDIT_USERNAME and REDDIT_PASSWORD even though the implemented login function uses a browser-based OAuth authorization code flow and the code does not use the password. These discrepancies could lead users to expose their Reddit password unnecessarily.
Install Mechanism
No install spec; this is instruction-only with a bundled script file. Nothing is downloaded or extracted from arbitrary URLs as part of installation.
Credentials
The skill requests sensitive credentials in documentation (client id/secret and also username/password). The code legitimately needs client id/secret for OAuth and stores tokens at ~/.reddit-token.json (expected). Requesting the Reddit account password (REDDIT_PASSWORD) appears unnecessary for the shown flow and is disproportionate; registry metadata also failed to declare the env vars, so the declared requirements do not match what the skill asks you to provide.
Persistence & Privilege
The skill stores an OAuth token in ~/.reddit-token.json and runs a short-lived local HTTP server to complete OAuth; this is reasonable for an OAuth CLI. always:false and no elevated system changes are requested.
What to consider before installing
This skill largely does what it says (read/post/moderate Reddit), but there are mismatches you should address before installing or exporting secrets: (1) The registry metadata declares no required environment variables, yet the docs tell you to export REDDIT_CLIENT_ID and REDDIT_CLIENT_SECRET — those are legitimately needed for OAuth; only set those if you trust the skill. (2) The docs also ask you to export REDDIT_USERNAME and REDDIT_PASSWORD, but the included code uses a browser-based OAuth authorization code flow and does not appear to require your password — do NOT export your Reddit password unless the code explicitly needs and justifies it. (3) The redirect URI differs between SKILL.md and README (one lacks the trailing /callback while the code uses /callback) — that will break login unless fixed. (4) The script saves tokens to ~/.reddit-token.json; be aware a token with moderator scopes grants real moderation power if the app is authorized. Recommended steps: review the script yourself (or ask the author) to confirm which env vars it actually reads, remove any guidance that asks for your Reddit password if not needed, only provide the client ID/secret to an app you trust, and consider creating a dedicated Reddit app with limited scopes for this skill rather than using your main account's credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk9786j8ftb44tths8htapcd7k97ympzy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📣 Clawdis
Binsnode