Is reddit safe?

https://clawhub.ai/theglove44/reddit

68
CAUTION

The Reddit skill provides legitimate Reddit browsing and posting functionality with a clean SKILL.md that contains no prompt injection. However, the critical executable file reddit.mjs was NOT captured in the audit bundle, making it impossible to verify the safety of the only code that actually runs. Combined with the requirement for plaintext Reddit credentials and the ability to post content to public subreddits, this creates a meaningful unverified attack surface.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 42/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (8)

CRITICAL Executable script source code missing from audit -45

The file reddit/scripts/reddit.mjs is the sole executable component of this skill and is referenced in every command, but its source code was not captured in the audit bundle. Without reviewing this file, it is impossible to determine whether it contains malicious code, data exfiltration logic, obfuscated payloads, or command injection vulnerabilities. This is the single largest gap in the audit.

HIGH Reddit credentials stored as environment variables -35

The skill requires REDDIT_CLIENT_ID, REDDIT_CLIENT_SECRET, REDDIT_USERNAME, and REDDIT_PASSWORD as plaintext environment variables. Any code with shell access (including the unaudited reddit.mjs) can read these. The OAuth token is persisted to ~/.reddit-token.json in the home directory, accessible to any process.

HIGH Unverifiable external network communication -20

The skill is designed to communicate with Reddit's API servers, but since reddit.mjs source is unavailable, we cannot verify it only contacts reddit.com. The script could send data to any endpoint.

MEDIUM Broad shell execution surface via node commands -13

Every skill command executes node with user-provided arguments (subreddit names, search queries, post text, URLs). If reddit.mjs does not properly sanitize these inputs, command injection is possible. Even if reddit.mjs is safe, the pattern of injecting user-controlled strings into shell commands is inherently risky.

MEDIUM Submit/reply commands could exfiltrate data via Reddit posts -25

The submit and reply commands allow the agent to post arbitrary content to public subreddits. A malicious or confused agent could be tricked into posting sensitive information (env vars, file contents, conversation history) as Reddit posts, effectively exfiltrating data through a legitimate channel.

MEDIUM Moderation commands grant destructive capabilities -8

The skill includes moderation commands (remove, lock, sticky) that can destructively modify subreddit content. While these require mod permissions, an agent with this skill could be socially engineered into performing unwanted moderation actions.

LOW Skill requests broad permissions without scoping -10

The skill does not limit which subreddits or actions the agent can perform. There is no allowlist or restriction mechanism. The agent is given full Reddit API access bounded only by the OAuth token's permissions.

INFO Openclaw runtime accessed .aws/credentials during install -10

The filesystem monitoring shows /home/oc-exec/.aws/credentials was opened during the skill install phase. This appears to be the openclaw agent runtime's standard credential chain resolution (not the skill itself), but is noted for completeness.