critical
suspicious.env_credential_access
- Location
- scripts/reddit-readonly.mjs:16
- Finding
- Environment variable access combined with network send.
Reddit (read only - no auth)
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.env_credential_access
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
Search terms, subreddit names, and requested post URLs may be sent to Reddit when the agent uses the skill.
Why it was flagged
The skill runs a local command that sends user-supplied Reddit search terms to an external service. This is disclosed and central to the skill's read-only Reddit browsing purpose.
Skill content
node {baseDir}/scripts/reddit-readonly.mjs search all "<query>" --limit 10Recommendation
Use non-sensitive queries and keep limits modest; review results before acting on them manually.
NoteMedium Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
A user has less external context for who maintains the skill or where to verify updates.
Why it was flagged
The runnable skill has no declared upstream source or homepage, which limits provenance checks even though the visible behavior is coherent and read-only.
Skill content
Source: unknown; Homepage: none
Recommendation
Install only if you trust the registry owner or can inspect the full included script before use.
NoteHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
The agent may execute the included script locally to fetch Reddit data.
Why it was flagged
The skill operates by executing an included Node.js script. This is expected for its CLI-based design, but users should understand that local code will run with network access.
Skill content
node {baseDir}/scripts/reddit-readonly.mjs posts <subreddit>Recommendation
Ensure Node.js is from a trusted installation and review the script if you require a high-assurance environment.