ClawHub

Reach

Security checks across malware telemetry and agentic risk

Overview

Reach is a disclosed high-authority web automation skill, but it can move funds, use login sessions, send email, solve CAPTCHAs, and persist sensitive data without enough built-in user controls.

Install only if you intend to run a high-authority automation agent. Use isolated test wallets and test accounts first, avoid production private keys, protect or regularly clear the data directory, and add your own approval gates before any signing, payment, login, cookie import, outbound email, CAPTCHA solving, or webhook-driven action. Treat saved cookies and API-key session files as active credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (38)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill exposes powerful capabilities including environment-variable access, network operations, and shell-adjacent server/CLI execution, yet no explicit permission model or safety boundary is declared. In an autonomous agent context, this increases the chance that the agent can access secrets, make external requests, or trigger sensitive actions without clear user consent or sandboxing.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented behavior substantially exceeds the stated purpose, including payment flows, webhook hosting, persistent storage, session recording, cookie/session handling, and external-service integrations. This mismatch can mislead users and orchestrators about the true trust boundary, causing the skill to be invoked in contexts where these higher-risk capabilities were not expected or approved.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The primitive is named and documented as a signing helper, but in 'transaction' mode it calls wallet.sendTransaction() and waits for confirmation, which performs a live on-chain state change. In an agent skill that autonomously interacts with websites and services, this mismatch is highly dangerous because callers may believe they are requesting an offline signature while actually authorizing fund transfers, approvals, or contract interactions on mainnet.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The docstring states this primitive signs messages, transactions, or typed data, but the implementation for transactions submits and confirms a real blockchain transaction. This misleading interface can cause downstream agents, developers, or policy layers to classify the action as low-risk signing instead of value-moving execution, increasing the chance of unintended asset loss or unauthorized contract calls.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README advertises transaction signing and payment execution, including sending ETH/ERC-20s and automatic x402 payment flows, but does not prominently warn that these actions can transfer real funds irreversibly. In an agent-facing web automation skill, this omission is dangerous because natural-language or automated workflows may trigger financial actions without explicit human confirmation, increasing risk of prompt-injection-driven or accidental asset loss.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README documents login automation, cookie/session reuse, email sending/receiving, webhook ingestion, and remote inbox access without clear privacy, retention, or trust-boundary warnings. Because this skill handles credentials, inbox contents, webhook payloads, and persisted local/remote data, missing guidance can lead users to expose sensitive information, accept untrusted inbound content, or deploy insecure integrations.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The natural-language interface appears broad enough to translate unconstrained text into web actions, logins, email operations, or payments without documented trigger restrictions. In a web automation skill with transaction signing and messaging features, ambiguous NL execution materially raises the risk of prompt injection, unintended side effects, and unsafe autonomous actions.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill advertises highly sensitive operations including logins, transaction signing, email, CAPTCHA solving, and payments, but does not present safety warnings, consent requirements, or abuse considerations. In this context, omission of warnings is dangerous because agents and users may treat these actions as routine automation rather than privileged actions with financial and account-security consequences.

Missing User Warnings

High
Confidence
99% confidence
Finding
The documentation instructs use of highly sensitive secrets such as a wallet private key, API keys, and service tokens without accompanying guidance on secret storage, rotation, scoping, or confirmation controls. Because the skill can sign transactions, send email, authenticate to services, and solve CAPTCHAs, compromise or misuse of these secrets could directly lead to account takeover, fraudulent transactions, and persistent abuse.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The report recommends adding a PRIVATE_KEY to .env or passing a privateKey option without any guidance on secure secret handling, rotation, scoping, or safer alternatives. In a skill whose purpose includes signing transactions, normalizing casual private-key injection increases the chance operators will persist high-value credentials insecurely or expose them through logs, files, or environment leakage.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The report positively highlights anti-detection features such as user-agent spoofing and webdriver flag removal without documenting user consent, policy constraints, or legitimate bounded use cases. In an autonomous web-interaction skill, these capabilities can materially aid stealthy automation, evasion of bot defenses, and abuse of third-party services.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This code persists all browser cookies for each domain to plaintext JSON files on disk, then silently reloads them into future sessions. In a web-automation skill that can log into services, send email, and sign transactions, these cookies may contain active authenticated sessions, so local file disclosure, multi-tenant access, backup leakage, or accidental reuse could enable account takeover without re-entering credentials.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
This command imports cookie files directly into saved sessions without any trust boundary, confirmation, or warning about overwriting existing authentication state. In a skill designed to browse, log in to services, and act autonomously, importing attacker-supplied cookies could silently bind the agent to an untrusted or hijacked session and cause unintended actions under that session.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The constructor accepts a wallet private key and copies it into process.env.PRIVATE_KEY, expanding the secret's scope from an instance-local option into process-wide mutable state. In a skill with broad capabilities like web automation, signing, email, and plugin-style imports, this increases the chance of accidental leakage, cross-component access, or misuse by unrelated code running in the same process.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The server exposes a `web_authenticate` tool that accepts credentials and performs authentication with no confirmation, policy gating, or trust boundary checks in this file. In an agent-facing web automation skill, this enables silent use of user passwords/API keys against arbitrary services and materially increases the risk of credential misuse, phishing-style login flows, and account compromise.

Missing User Warnings

High
Confidence
98% confidence
Finding
The `web_sign` tool exposes message and transaction signing directly to the agent with no user confirmation, transaction simulation, origin binding, or spend limits shown in this file. In the context of an autonomous web agent, this is especially dangerous because prompt injection or a malicious site could induce signing of malicious messages or blockchain transactions, leading to irreversible asset loss or authorization abuse.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The `web_email` tool allows outbound email transmission to arbitrary recipients without any visible confirmation, recipient restrictions, or abuse controls in this file. For an autonomous agent, this can be abused to exfiltrate sensitive data, send phishing/spam, or trigger business-process fraud from a trusted sender identity.

Missing User Warnings

High
Confidence
98% confidence
Finding
The parser converts free-form natural language directly into a `pay` plan and `executeCommand` invokes `reach.pay` immediately, with no confirmation, allowlist, policy check, or amount/recipient validation beyond simple regex parsing. In a skill explicitly designed to act autonomously on the web, this makes prompt injection, misunderstood user intent, or malicious task text capable of triggering irreversible asset transfers.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The email command is parsed from natural language and then sent via `reach.email` without a user-visible review or confirmation step. In an autonomous browsing/email skill, that enables social-engineering abuse, data exfiltration, spam, or reputational harm if hostile page content or ambiguous instructions are translated into outbound email actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The login/auth pattern allows natural-language input like 'login to <service>' to trigger `reach.authenticate` directly, with no disclosure that stored cookies, sessions, or credentials may be used. Because this skill is meant to autonomously browse and interact with services, unexpected authentication materially increases the blast radius of prompt injection or accidental command matching by granting access to sensitive accounts.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code persists raw API keys to disk in a JSON file under the sessions directory, creating a long-lived secret at rest with no encryption, access control hardening, or user disclosure in this component. In an agent skill designed to autonomously browse, log in, and interact with third-party services, compromise of the local filesystem, logs, backups, or neighboring components could expose the key and enable unauthorized API access beyond the current session.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The login flow saves authentication cookies to disk after successful sign-in, effectively turning transient browser session material into persistent bearer credentials. Because this skill is explicitly intended to autonomously log in to services and act on the web, stolen cookie files could let an attacker hijack authenticated sessions, bypass passwords or MFA, and act as the user on external platforms.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code sends the page URL and CAPTCHA sitekey to CapSolver, a third-party service, without any explicit user consent, policy gate, or allowlist. In an agent that autonomously browses, logs in, and fills forms, this can disclose sensitive browsing targets and facilitate bypass of anti-abuse controls on sites the user may not realize are being delegated to an external solver.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The primitive automatically consumes CAPSOLVER_API_KEY from the environment, enabling use of a paid external solving service without a strong user-facing warning or explicit confirmation. While not exfiltrating the key directly, silently relying on a sensitive credential increases the chance of unintended third-party service use, billing exposure, and policy violations in autonomous runs.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
Incoming emails are written in full to local disk under data/inbox, creating persistent storage of potentially sensitive message contents. In an autonomous web/email agent context, this increases exposure of credentials, reset links, PII, and other secrets if the host is compromised, backups are leaked, or multiple components can read the workspace.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal