Does this require Reddit API tokens?

No. It uses a same-origin approach with cookies and the modhash for CSRF protection, avoiding API tokens.

Is it safe to run on my real Chrome session?

Yes, it operates within the existing Chrome session via AppleScript. Use in a trusted environment and review the code before running.

Can I post both text and link posts?

Yes. Use kind: 'self' for text posts and kind: 'link' for URL posts, as shown in the posting workflow.

reddit-post

Flagged

{"isSafe":false,"isSuspicious":true,"riskLevel":"medium","findings":[{"category":"data_exfiltration","severity":"medium","description":"The skill uses injected JavaScript to read Reddit's modhash (CSRF token) and writes it to the browser tab title, then the host reads that title via osascript. This constitutes exfiltration of a sensitive token from the page into the host environment.","evidence":"Step 1 writes: document.title=\\\"UH:\\\"+d.data.modhash and the osascript command reads the active tab title to retrieve the modhash."},{"category":"data_exfiltration","severity":"medium","description":"The workflow relies on browser cookies (credentials: include) to post via Reddit, effectively performing actions on behalf of the user without explicit OAuth/token-based authentication in code.","evidence":"POST request to /api/submit uses credentials: include and uh (modhash) for CSRF protection."},{"category":"prompt_injection","severity":"low","description":"No explicit prompt-injection patterns detected in the skill content itself.","evidence":""},{"category":"suspicious_url","severity":"low","description":"No suspicious external URLs are embedded; placeholders include a GitHub URL, which is benign in this context.","evidence":"url: \"https://github.com/your/repo\" (placeholder)"},{"category":"other","severity":"high","description":"Content includes guidance to avoid moderation/detection (Spam Filter Avoidance) and to evade Reddit’s anti-bot measures, which could enable misuse such as spam campaigns. This is a potential ethics/security risk.","evidence":"Spam Filter Avoidance section with words to avoid, content triggers to avoid, and emphasis on undetectable posting."},{"category":"system_harm","severity":"low","description":"No explicit system-harm actions (e.g., disk wiping, crypto mining, privilege escalation) are present.","evidence":""}],"summary":"The Reddit posting skill demonstrates browser-based automation to post to Reddit via the Reddit API, extracting a CSRF token from the page via the browser and using it to submit content. It introduces data exfiltration risk of CSRF tokens to the host, relies on user cookies for actions, and includes content that could be misused to evade moderation. A safer design would use official API flows with OAuth tokens and avoid manipulating the browser’s UI to extract tokens."}

npx machina-cli add skill PHY041/claude-skill-reddit/reddit-post --openclaw

Files (1)

SKILL.md

6.9 KB

Reddit Posting Skill (AppleScript Chrome Control)

Post to Reddit by controlling the user's real Chrome via AppleScript. No Playwright, no Selenium, no API tokens.

How It Works

Claude Code → osascript → Chrome (real browser, logged in) → Reddit /api/submit

Same-origin fetch with cookies → undetectable
Reddit's /api/submit endpoint for text/link posts
Modhash from /api/me.json for CSRF protection

Prerequisites

macOS only (AppleScript is a macOS technology)
Chrome: View → Developer → Allow JavaScript from Apple Events (restart Chrome after enabling)
User logged into Reddit in Chrome

Method Detection (Run First)

WINDOWS=$(osascript -e 'tell application "Google Chrome" to return count of windows' 2>/dev/null)
if [ "$WINDOWS" = "0" ] || [ -z "$WINDOWS" ]; then
    echo "METHOD 2 (System Events + Console)"
else
    echo "METHOD 1 (execute javascript)"
fi

See reddit-cultivate skill for full Method 1 vs Method 2 details.

Posting Workflow

Step 1: Get Modhash

osascript -e 'tell application "Google Chrome" to tell active tab of first window to execute javascript "fetch(\"/api/me.json\",{credentials:\"include\"}).then(r=>r.json()).then(d=>{document.title=\"UH:\"+d.data.modhash})"'
sleep 2
osascript -e 'tell application "Google Chrome" to return title of active tab of first window'

Step 2: Submit Post

Navigate Chrome to reddit.com first (same-origin requirement), then submit:

(async()=>{
  try {
    let body = new URLSearchParams({
      sr: "SideProject",           // subreddit name (no r/ prefix)
      kind: "self",                // "self" for text, "link" for URL
      title: "Your post title",
      text: "Your post body with **markdown** support",
      uh: "MODHASH_HERE",
      api_type: "json",
      resubmit: "true"
    });
    let resp = await fetch("/api/submit", {
      method: "POST",
      credentials: "include",
      headers: {"Content-Type": "application/x-www-form-urlencoded"},
      body: body.toString()
    });
    let result = await resp.json();
    document.title = "POSTED:" + JSON.stringify(result);
  } catch(e) {
    document.title = "ERR:" + e.message;
  }
})()

For link posts, change:

kind: "link",
url: "https://github.com/your/repo",  // instead of text

Step 3: Extract Post Link

The response contains result.json.data.url — the direct link to the new post.

Step 4: Add Flair (if required)

Some subreddits require flair. After posting, use:

(async()=>{
  try {
    // First get available flairs
    let resp = await fetch("/r/SUBREDDIT/api/link_flair_v2", {credentials: "include"});
    let flairs = await resp.json();
    document.title = "FLAIRS:" + JSON.stringify(flairs.map(f => ({id: f.id, text: f.text})));
  } catch(e) {
    document.title = "ERR:" + e.message;
  }
})()

Then apply flair:

(async()=>{
  try {
    let body = new URLSearchParams({
      link: "t3_POST_ID",
      flair_template_id: "FLAIR_ID",
      uh: "MODHASH"
    });
    await fetch("/api/selectflair", {
      method: "POST",
      credentials: "include",
      headers: {"Content-Type": "application/x-www-form-urlencoded"},
      body: body.toString()
    });
    document.title = "FLAIR_SET";
  } catch(e) {
    document.title = "ERR:" + e.message;
  }
})()

Step 5: Session Summary

Always end with the post link:

Sub	Title	Post Link
r/SideProject	"Your title"	https://www.reddit.com/r/SideProject/comments/abc123/...

Spam Filter Avoidance

Words to AVOID in titles/body

Avoid	Use Instead
crawl, crawled, crawling	compiled, cataloged, indexed, collected
scrape, scraping	gathered, extracted, retrieved
bot, automated	tool, script, program
free (overused)	open source, MIT licensed
hack, hacks	tips, techniques, methods

Content Triggers to Avoid

Multiple external links (max 1-2)
URL shorteners (bit.ly, tinyurl)
New account + promotional content
Same content across multiple subreddits quickly
Excessive self-promotion language

Best Subreddits for Open Source Projects

Subreddit	Members	Best For	Notes
r/coolgithubprojects	60K	GitHub repos	Designed for this!
r/SideProject	453K	Side projects	Very welcoming
r/opensource	100K+	Open source tools	Technical audience
r/programming	6M+	Dev tools	High competition
r/Python	1.5M+	Python tools	Active community
r/webdev	2M+	Web tools	"Showoff Saturday" only
r/selfhosted	400K+	Self-hosted tools	Great engagement

Best Times to Post (US Eastern Time)

Day	Best Time
Monday	6-8 AM
Tuesday	7-9 AM
Wednesday	8-10 AM
Thursday	7-9 AM
Friday	6-8 AM
Saturday	7-9 AM
Sunday	8-10 AM

Post 30 minutes BEFORE peak times for momentum building.

Post Templates

Open Source Project Announcement

Title: I built [PROJECT_NAME] - [one-line description] (open source)

Body:
Hey everyone,

I created [PROJECT_NAME] to solve [PROBLEM].

**What it does:**
- Feature 1
- Feature 2
- Feature 3

**Tech stack:** [Languages/frameworks]

**Links:**
- GitHub: [single link]

Happy to answer any questions!

Tool/Resource Share

Title: [TOOL_NAME]: [what it does] - free and open source

Body:
Built this because [reason/pain point].

**Features:**
- [List 3-5 key features]

**How to use:**
[Brief code example or instructions]

GitHub: [link]

Feedback welcome!

Cross-Posting Strategy

Stagger posts across subreddits for maximum reach:

Day 1: Primary subreddit (most relevant)
Day 2-3: Secondary subreddit (different audience)
Day 4-5: General subreddit (r/SideProject, etc.)

Never post to multiple subreddits on the same day — triggers spam detection.

Error Recovery

Issue	Solution
"Post removed by filters"	Rewrite without trigger words, reduce links
"You're doing that too much"	Wait 10-15 min, need more karma
"This community requires flair"	Use /api/selectflair after posting
"Title too long"	Keep under 300 characters
Post not visible	Check if shadowbanned: profile in incognito
Modhash expired	Re-fetch from /api/me.json

Why AppleScript (Not Playwright)

Tool	Problem
Playwright	`navigator.webdriver=true`, detected by Reddit
Selenium	Same detection issue
curl + API	IP blocked after few requests
AppleScript	Controls real Chrome, undetectable, cookies included

Source

git clone https://github.com/PHY041/claude-skill-reddit/blob/main/.claude/skills/reddit-post/SKILL.mdView on GitHub

Overview

Reddit-post lets you publish to Reddit by controlling your real Chrome browser with AppleScript. It supports posting text and links to subreddits without using APIs or tokens, making it useful for sharing open-source projects or updates from macOS. It triggers on common Reddit posting requests like 'post to reddit' or 'submit to subreddit'.

How This Skill Works

Claude Code runs through osascript to execute JavaScript in the active Chrome tab that's logged into Reddit, then uses Reddit's /api/submit with cookies and a modhash for CSRF protection. It supports both text (self) and link posts, retrieving the modhash from /api/me.json and submitting the payload via a same-origin fetch. No Playwright, Selenium, or API tokens are required; it leverages the real browser session for posting.

When to Use It

You want to post a text update to a subreddit from macOS using your real Chrome session
You want to share a link (e.g., a GitHub repo) to a subreddit
You're promoting an open-source project on Reddit and prefer a browser-based flow
You need to post without generating or managing Reddit API tokens
You already have Chrome logged in and want to automate posting to a specific subreddit (e.g., r/SideProject)

Quick Start

Step 1: Verify macOS prerequisites, ensure Chrome is logged into Reddit and allow JavaScript from Apple Events
Step 2: Run the provided AppleScript/JavaScript flow to fetch the modhash from /api/me.json
Step 3: Build the post payload (self or link) and submit to /api/submit, then extract the resulting post URL

Best Practices

Ensure you are logged into Reddit in Chrome before running the skill
Provide the subreddit name without the r/ prefix (e.g., SideProject)
Test with a text post (self) first to verify the flow, then use a link post if needed
Keep content Markdown-friendly and comply with subreddit guidelines
Respect Reddit's CSRF protections and only use resubmit when appropriate

Example Use Cases

Post a project update to r/SideProject as a self post with a concise title and body
Share a GitHub repository link to r/programming with a descriptive title
Promote an OSS project in r/opensource using a link post
Publish a tutorial or guide by posting a link to r/learnprogramming
Announce a new release or milestone to r/webdev with a text post

Frequently Asked Questions

Add this skill to your agents