reddit-readonly
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Unverifiable Dependencies & Remote Code Execution (HIGH): The skill is installed from an untrusted GitHub repository (
tristanmanchester/agent-skills) which is not on the trusted source list. The implementation logic inscripts/reddit-readonly.mjsis referenced but not provided for auditing, meaning the skill executes unverifiable code from an untrusted source.\n- Indirect Prompt Injection (MEDIUM): The skill's purpose is to ingest data from Reddit, which is a classic vector for indirect prompt injection.\n - Ingestion points:
SKILL.mddefines commands likecommentsandsearchthat pull arbitrary text from Reddit posts and comment threads.\n - Boundary markers: No delimiters or safety instructions are provided in
SKILL.mdto help the agent differentiate between Reddit content and system instructions.\n - Capability inventory: The skill executes shell commands via
node. While labeled 'read-only', the agent's interaction with the resulting untrusted content could lead to follow-on attacks.\n - Sanitization: No sanitization or filtering logic is present in the provided documentation.\n- Dynamic Execution (MEDIUM): The
commentsandthreadcommands accept aurlas input. Without visibility into the script, there is a risk that this URL is used in a network request without sufficient validation, potentially allowing an attacker to point the agent at a malicious JSON payload on an external server.
Recommendations
- AI detected serious security threats
Audit Metadata