Reddit Skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
This Reddit automation skill is understandable, but it relies on missing wrapper code and external ThreadPilot downloads/builds while using Reddit account credentials to like or post.
Review or obtain the missing scripts/threadpilot wrapper before use. If you proceed, manually install a pinned and verified ThreadPilot release, use a low-risk Reddit account or scoped token, avoid sharing a sensitive browser profile, and require explicit confirmation before any like, comment, subscription, or post.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may run ThreadPilot code that was not reviewed as part of this package.
The skill relies on external binaries or source builds that are not included in the provided artifact set, creating a provenance and integrity gap for code that would handle Reddit sessions and actions.
`scripts/threadpilot` resolves runtime in this order: ... `Auto-install from vood/threadpilot release asset by version` ... `Source fallback by cloning vood/threadpilot and building`
Bundle the launcher or provide a clear install spec, pin exact versions, verify hashes or signatures, and require user approval before downloading or building external code.
A user may over-trust the stated confirmation and duplicate-post protections without being able to review the code that enforces them.
The README claims the package includes `scripts/threadpilot` safe wrappers and an `ops/openclaw/reddit_cli.cron` template, but those files are absent from the supplied manifest, so the advertised safety wrappers are not inspectable here.
4 file(s): README.md; SKILL.md; agents/openai.yaml; bin/REFERENCE.md
Do not rely on the safety claims until the referenced wrapper and scheduler files are provided and reviewed.
The tool could operate with a logged-in Reddit identity and perform account actions such as liking or posting.
The skill can use Reddit OAuth credentials or a persistent browser profile to act as the user, but the artifacts do not clearly bound token scope, session storage, retention, or output behavior.
`REDDIT_ACCESS_TOKEN`: OAuth token for API-backed flows. ... `REDDIT_BROWSER_PROFILE`: Persistent browser profile path.
Use a dedicated Reddit account or narrowly scoped token if possible, avoid reusing a sensitive browser profile, and require explicit user approval for any account-mutating action.
If used incorrectly, the agent could like or publish content from the user's Reddit account.
The skill documents commands for liking and publishing Reddit comments. This is purpose-aligned and disclosed, but these are public account-mutating actions.
`REDDIT_CONFIRM_LIKE=1 scripts/threadpilot like-target` ... `REDDIT_TEXT='...' scripts/threadpilot post-comment`
Require a preview and clear human confirmation before every like, comment, subscription, or post.
If a scheduler is later installed, the tool could keep checking or acting on the Reddit account outside a one-off session.
The README describes scheduled Reddit-account checks and optional scheduled engagement workflows. It says engagement workflows are disabled by default, so this is a notice rather than a standalone concern.
Cron template: ... Daily session validation (`whoami`) ... Optional like workflow (disabled by default) ... Optional post-comment workflow (disabled by default)
Only enable scheduled workflows after reviewing the cron file and confirming every engagement action remains opt-in.