Trust Assessment

reddit received a trust score of 83/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Overly broad OAuth scopes requested, Potential for command injection via child_process.exec.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

78%

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

1 finding

Shell Execution

1 finding

Dynamic Code

1 finding

Excessive Permissions

1 finding

Security Findings2

Severity	Finding	Layer	Location
HIGH	Potential for command injection via child_process.exec The script imports `child_process.exec`, which allows for arbitrary command execution. As a command-line interface (CLI) tool, `scripts/reddit.mjs` processes user-supplied arguments (`process.argv`). If these arguments are directly or indirectly passed to `exec` without proper sanitization or escaping, a malicious user could inject and execute arbitrary shell commands on the host system. While the specific usage of `exec` is not visible due to truncation of the provided file, the presence of the import indicates a high-risk capability that requires careful review of its implementation. Thoroughly review all instances where `child_process.exec` (or `spawn`, `fork`, `execFile`) is used. Ensure that all user-supplied inputs are strictly validated, sanitized, and properly escaped before being passed to shell commands. Prefer `child_process.execFile` or `spawn` with an array of arguments over `exec` when possible, as they are less prone to shell injection. If `exec` must be used, ensure `shell: false` is set if possible, or use a robust escaping library.	LLM	scripts/reddit.mjs:10
MEDIUM	Overly broad OAuth scopes requested The skill requests a wide range of OAuth scopes (`read submit edit identity mysubreddits modposts modcontributors modmail modconfig modlog modself flair`) which include powerful moderation capabilities like `modmail`, `modconfig`, `modself`, and `flair`. While the skill description mentions moderation, some of these scopes appear to exceed the explicitly listed functionalities (e.g., "remove post/comment", "sticky post", "view modqueue"). Requesting only the minimum necessary permissions reduces the attack surface and potential impact of a compromised token. Review the required Reddit API scopes and reduce them to the absolute minimum necessary for the skill's described functionality. For example, if `modmail` or `modconfig` are not used, remove them.	LLM	scripts/reddit.mjs:27

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/e02e4fa998b47016.svg)](https://skillshield.io/report/e02e4fa998b47016)