Browse, search, post, and moderate Reddit. Read-only works without auth; posting/moderation requires OAuth setup.
Security Analysis
high confidenceThe skill mostly matches a Reddit CLI (read, post, moderate) but has several inconsistencies around required credentials and setup instructions that ask for unnecessary sensitive data and mismatch the code — review before installing or exporting secrets.
Name/description (browse, post, moderate Reddit) aligns with the included script which calls Reddit's public JSON API and OAuth endpoints. However registry metadata claims no required env vars while both SKILL.md/README instruct the user to export REDDIT_CLIENT_ID, REDDIT_CLIENT_SECRET, REDDIT_USERNAME, and REDDIT_PASSWORD — an inconsistency. The code actually requires client ID/secret for OAuth but does not appear to use REDDIT_USERNAME/REDDIT_PASSWORD in the shown login flow, so asking for the account password appears unnecessary for the implemented authorization-code flow.
SKILL.md instructs running the included node script and saving a token to ~/.reddit-token.json (which the code does). But there are mismatches in the instructions: SKILL.md tells you to use redirect URI http://localhost:8080 while README and the code use /callback (http://localhost:8080/callback). SKILL.md/README also tell you to export REDDIT_USERNAME and REDDIT_PASSWORD even though the implemented login function uses a browser-based OAuth authorization code flow and the code does not use the password. These discrepancies could lead users to expose their Reddit password unnecessarily.
No install spec; this is instruction-only with a bundled script file. Nothing is downloaded or extracted from arbitrary URLs as part of installation.
The skill requests sensitive credentials in documentation (client id/secret and also username/password). The code legitimately needs client id/secret for OAuth and stores tokens at ~/.reddit-token.json (expected). Requesting the Reddit account password (REDDIT_PASSWORD) appears unnecessary for the shown flow and is disproportionate; registry metadata also failed to declare the env vars, so the declared requirements do not match what the skill asks you to provide.
The skill stores an OAuth token in ~/.reddit-token.json and runs a short-lived local HTTP server to complete OAuth; this is reasonable for an OAuth CLI. always:false and no elevated system changes are requested.
Guidance
This skill largely does what it says (read/post/moderate Reddit), but there are mismatches you should address before installing or exporting secrets: (1) The registry metadata declares no required environment variables, yet the docs tell you to export REDDIT_CLIENT_ID and REDDIT_CLIENT_SECRET — those are legitimately needed for OAuth; only set those if you trust the skill. (2) The docs also ask you to export REDDIT_USERNAME and REDDIT_PASSWORD, but the included code uses a browser-based OAuth authorization code flow and does not appear to require your password — do NOT export your Reddit password unless the code explicitly needs and justifies it. (3) The redirect URI differs between SKILL.md and README (one lacks the trailing /callback while the code uses /callback) — that will break login unless fixed. (4) The script saves tokens to ~/.reddit-token.json; be aware a token with moderator scopes grants real moderation power if the app is authorized. Recommended steps: review the script yourself (or ask the author) to confirm which env vars it actually reads, remove any guidance that asks for your Reddit password if not needed, only provide the client ID/secret to an app you trust, and consider creating a dedicated Reddit app with limited scopes for this skill rather than using your main account's credentials.
Latest Release
v1.0.0
Initial release: browse, search, post, and moderate subreddits
Popular Skills
Published by @theglove44 on ClawHub
