threadpilot-cli
Warn
Audited by Gen Agent Trust Hub on Jun 12, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on executing prebuilt binaries located in the
bin/directory (redditcli-darwin-amd64,redditcli-linux-arm64, etc.) via thescripts/reddit-cliwrapper. It also includes a cron template (ops/openclaw/reddit_cli.cron) designed to schedule these commands for automated execution. - [CREDENTIALS_UNSAFE]: The skill manages sensitive Reddit credentials, including usernames, passwords, and access tokens. The documentation in
SKILL.mdandREADME.mdprovides examples of passing passwords directly as command-line arguments (e.g.,--password "<reddit-password>"), which is an insecure practice as it makes secrets visible in the system's process list and shell history. - [REMOTE_CODE_EXECUTION]: The package ships with compiled binary executables for multiple platforms. As these are opaque files without the corresponding source code provided for verification, they represent a supply chain risk where unverified code is executed on the host system.
Audit Metadata