Back to skill

Security audit

Agent Reach

Security checks across malware telemetry and agentic risk

Overview

This skill needs Review because it enables broad social/web access, asks for login cookies, and includes posting and anti-bot bypass examples without tight consent boundaries.

Install only if you intentionally want a broad web and social-platform automation setup. Prefer dedicated secondary accounts, avoid pasting raw cookies into chat, review what is stored under ~/.agent-reach, and require explicit confirmation before any posting, commenting, liking, proxy change, or browser-cookie extraction.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill is presented as an installer/configuration utility, but the documentation operationalizes many upstream tools for direct search, reading, scraping, and publishing across platforms. This scope mismatch is dangerous because it can cause the skill to be invoked in broader contexts than intended and effectively smuggle high-risk data-access and action capabilities behind a benign setup label.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The document claims the tool does not provide read/search/content-fetching commands, yet immediately provides detailed guidance for performing exactly those activities via bundled upstream tools. That contradiction increases the chance that agents or users will treat the skill as safe configuration-only infrastructure while still enabling broad collection behavior.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Documenting XiaoHongShu publishing commands introduces an outbound write capability unrelated to installing or enabling channels. In a skill framed as setup tooling, this creates unnecessary account-risk and abuse potential, including unauthorized posting, spam, or reputational harm if an agent executes these commands with imported credentials.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The WeChat section explicitly recommends a stealth browser to bypass anti-bot protections, which goes beyond ordinary configuration and normal access patterns. Including anti-detection guidance in a setup skill increases legal, compliance, and platform-abuse risk and normalizes evasive scraping behavior.

Vague Triggers

Medium
Confidence
94% confidence
Finding
Very broad triggers like 'configure' and 'install' are likely to collide with many unrelated user requests, causing this powerful skill to activate unexpectedly. Given the skill installs software, configures proxies, and handles credentials, overbroad invocation materially raises the chance of unintended execution in the wrong context.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill instructs users to export browser cookies and send them to the agent, but does not clearly frame them as highly sensitive bearer credentials that can grant account access. This is dangerous because it encourages credential exfiltration into the agent context, where they may be logged, reused, or mishandled, leading to account compromise.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.