reddit-post

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to extract the user's Reddit modhash (a CSRF/auth token) via AppleScript and then insert that value verbatim into subsequent POST requests/JS, requiring the LLM to handle and emit a secret-like token.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill controls a real browser to call Reddit endpoints (e.g., /api/me.json to get modhash, /api/submit for the post response, and /r/SUBREDDIT/api/link_flair_v2 to fetch flair text), which are public, user-generated Reddit resources that the agent reads and interprets as part of its workflow.