Trust Assessment
reddit-readonly received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Server-Side Request Forgery (SSRF) via arbitrary URL fetch.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Server-Side Request Forgery (SSRF) via arbitrary URL fetch The `comments` and `thread` commands allow the user to provide a URL as input. If this URL does not match a specific Reddit comment permalink pattern, the script will treat it as a full URL and make an HTTP request to it using `fetchJson`. This allows an attacker to trick the agent into making requests to arbitrary external or internal network resources from the agent's host, potentially leading to information disclosure, port scanning, or interaction with internal services. Modify the `buildUrl` function to strictly enforce that all URLs must be within the `https://www.reddit.com` domain, or explicitly validate and whitelist domains for user-provided URLs. For the `comments` and `thread` commands, ensure that the `post_id|url` argument is always processed to extract a Reddit post ID and then construct the URL using the `BASE_URL` constant, rather than accepting arbitrary full URLs. | LLM | scripts/reddit-readonly.mjs:300 |
Scan History
Embed Code
[](https://skillshield.io/report/278725b2515ec4fb)
Powered by SkillShield