← 返回 Skills 市场
Reddit Skill
作者
Artem Vysotsky
· GitHub ↗
· v0.1.0
449
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install reddit-skill
功能描述
Use ThreadPilot to manage Reddit account workflows (login, whoami, comments, replies, posts, subreddits, subscribe, read, search, rules, like, and post) with...
安全使用建议
This skill appears to implement legitimate Reddit CLI workflows, but there are notable inconsistencies you should address before installing: 1) The registry declares no required credentials but the README/SKILL.md reference many sensitive env vars (e.g., REDDIT_ACCESS_TOKEN, browser profile paths) — only supply tokens or profiles if you trust the upstream code and are prepared for local access. 2) The skill will auto-download or clone/build the threadpilot binary from GitHub at runtime; review the target repos (vood/threadpilot and vood/reddit-skill) and their release artifacts before allowing network installs. 3) Because the package is instruction-only and does not bundle the scripts it references, confirm which scripts will run and where they come from. 4) Prefer running this in an isolated environment or test account, avoid reusing real Reddit credentials until you audit the upstream code, and consider setting THREADPILOT_RELEASE_BASE_URL to a vetted mirror or performing a manual install after inspection. The absence of regex scanner findings is not a guarantee of safety — it only means there was no code for the scanner to analyze.
功能分析
Type: OpenClaw Skill
Name: reddit-skill
Version: 0.1.0
The skill is classified as suspicious primarily due to its auto-installation and execution of an external binary (`threadpilot`) from `https://github.com/vood/threadpilot/releases`, as described in `SKILL.md`, `README.md`, and `bin/REFERENCE.md`. This introduces a significant supply chain risk and potential Remote Code Execution (RCE) vulnerability, as the integrity and behavior of the external binary cannot be guaranteed. While the skill's instructions consistently emphasize human-in-the-loop safety and confirmation, the underlying `threadpilot` binary is not part of this bundle and its full behavior cannot be assessed. Additionally, the `REDDIT_CONFIRM_DOUBLE_POST` environment variable allows overriding duplicate-post protection, which could be exploited.
能力评估
Purpose & Capability
The name/description (Reddit workflows via ThreadPilot) matches the runtime instructions (whoami, login, read, like, post). However, the registry lists no required environment variables or primary credential while the README/SKILL.md enumerate many sensitive env vars (REDDIT_ACCESS_TOKEN, REDDIT_BROWSER_PROFILE, etc.) — a mismatch between declared requirements and actual usage.
Instruction Scope
SKILL.md instructs running scripts/threadpilot commands and explicitly references environment variables and browser profile paths. It also directs auto-bootstrap from github.com/vood/threadpilot (download release or clone/build). The skill may therefore read local files (browser profiles, cache dirs) and run downloaded binaries/source code — actions beyond mere 'read-only' browsing and proportionally broader than the declared manifest.
Install Mechanism
There is no install spec in the registry, but the README and SKILL.md describe auto-installing threadpilot from GitHub releases or cloning and building source. Downloading and executing a release asset or building cloned code at runtime is higher risk than an instruction-only skill; although GitHub releases are a reasonable source, auto-bootstrap means arbitrary remote code may be fetched and executed without an install policy in the registry.
Credentials
The registry declares no required env vars, yet the documentation lists numerous variables including sensitive ones (REDDIT_ACCESS_TOKEN, REDDIT_BROWSER_PROFILE, THREADPILOT_BIN, REDDIT_PROXY). The mismatch means the agent could ask for or use secrets that were not signaled up-front; requiring browser profile paths or access tokens is plausible for this purpose but should be explicitly declared and justified.
Persistence & Privilege
always:false and no heavy privileges requested. The skill's bootstrap/cache behavior will create a .threadpilot cache and may write binaries locally if installing — expected for CLI tools, but it does alter local disk state. It does not request system-wide always-on presence or modification of other skills.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install reddit-skill - 安装完成后,直接呼叫该 Skill 的名称或使用
/reddit-skill触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Version 0.1.0
- Initial release of reddit-skill using ThreadPilot for browser-first Reddit account management from the CLI.
- Supports login, session verification, posting, comments, replies, subreddit rules checking, upvoting, subscribing, reading, and searching.
- Enforces human-in-the-loop safety with explicit confirmation or preview before engagement actions (likes, posts).
- Includes duplicate comment protection and recommends always retrieving subreddit rules before posting.
- Designed for command-line workflows with clear user prompts before publishing or interacting.
元数据
常见问题
Reddit Skill 是什么?
Use ThreadPilot to manage Reddit account workflows (login, whoami, comments, replies, posts, subreddits, subscribe, read, search, rules, like, and post) with... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 449 次。
如何安装 Reddit Skill?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install reddit-skill」即可一键安装,无需额外配置。
Reddit Skill 是免费的吗?
是的,Reddit Skill 完全免费(开源免费),可自由下载、安装和使用。
Reddit Skill 支持哪些平台?
Reddit Skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Reddit Skill?
由 Artem Vysotsky(@vood)开发并维护,当前版本 v0.1.0。
推荐 Skills