Reach
WarnAudited by ClawScan on May 10, 2026.
Overview
Reach is a very powerful autonomous browser skill with wallet, email, session, and CAPTCHA-solving powers, but the artifacts do not show enough controls around those high-impact actions.
Install only in an isolated environment after reviewing the source. Do not use a personal wallet, main email account, or personal browser cookies unless you fully trust the code and have set strict limits. Prefer test wallets, limited API keys, localhost-only servers, disabled CAPTCHA solving, and regular cleanup of the data directory.
Findings (8)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken prompt, tool call, or compromised agent workflow could sign messages or transactions, or send funds from the configured wallet.
The skill exposes signing and payment primitives backed by a wallet private key, but the provided instructions do not describe human confirmation, spend limits, recipient allowlists, or dry-run safeguards.
`sign(payload)` | Crypto signing ... `pay(recipient, amount, opts)` | Send ETH/ERC-20/x402 payments ... `PRIVATE_KEY=0x... # Wallet private key for signing/payments`
Use only a test or tightly capped wallet unless the skill adds explicit per-transaction confirmation, network and spend limits, recipient allowlists, and auditable logs.
The wallet key may be exposed more broadly than the caller expects, especially if other plugins, tools, or dependencies run in the same Node process.
A private key passed in options is moved into the process-wide environment, making it available to other code running in the same process.
if (options.wallet?.privateKey) { process.env.PRIVATE_KEY = options.wallet.privateKey; }Avoid process-wide private-key storage; pass keys only to the signing/payment code path, support hardware or delegated wallets, and document credential scope clearly.
Saved cookies can keep the agent logged into user accounts and may expose those accounts if the local data directory is read or reused unexpectedly.
Browser session cookies are loaded and saved to local JSON files for reuse across runs.
const cookiePath = path.join(SESSIONS_DIR, `cookies-${domain}.json`); ... await context.addCookies(cookies); ... fs.writeFileSync(cookiePath, JSON.stringify(cookies, null, 2));Make session persistence opt-in per site, encrypt or protect cookie storage, provide clear cleanup commands, and warn users not to import personal browser sessions unless necessary.
The agent may bypass anti-bot controls on third-party sites, which can violate site rules, trigger account bans, or enable abuse if misused.
The browser is configured to hide automation signals and automatically invokes CAPTCHA solving on page load.
`--disable-blink-features=AutomationControlled` ... Object.defineProperty(navigator, 'webdriver', { get: () => false }); ... await autoSolveCaptcha(page);Disable automatic CAPTCHA solving by default, require explicit user approval per site, and avoid using stealth automation where it is not authorized.
A hostile website could have a larger impact on the local machine than expected if a browser exploit occurs.
The skill browses arbitrary web pages with Chromium sandboxing disabled, reducing containment if a malicious page exploits the browser.
chromium.launch({ headless: true, args: [ ... '--no-sandbox', '--disable-setuid-sandbox', ... ] })Run the skill in a VM/container, remove no-sandbox flags where possible, and avoid browsing untrusted sites from a privileged local environment.
Sensitive form entries, account details, or prior instructions could be stored and later replayed or reused in the wrong context.
The skill persists and reuses interaction history and form data, but the provided instructions do not define redaction, retention, site boundaries, or review controls.
Session recording — Record and replay all interactions ... Form memory — Auto-fill forms on repeat visits ... `persist(key, value)` / `recall(key)` | State memory
Use explicit opt-in memory, redact passwords and secrets, separate memories per site/account, add TTLs, and provide simple review/delete controls.
Other agents or inbound webhook events could become part of workflows that read email, use sessions, or trigger sensitive actions if the server is exposed or misconfigured.
The skill can bridge high-impact primitives to an MCP server and inbound webhooks, but the provided skill instructions do not describe identity checks, origin validation, or permission boundaries.
MCP server — Expose all primitives as Claude Code tools ... Webhook server — Receive inbound email, GitHub events, Stripe hooks
Bind services to localhost by default, authenticate MCP/webhook clients, validate webhook signatures, and expose only the minimum needed tools.
The package may fail at runtime or may depend on code that was not included in the reviewed artifacts.
These imported site skill files are not present in the provided file manifest, leaving the reviewed runnable surface inconsistent with the code.
import code4rena from './sites/code4rena.js'; import upwork from './sites/upwork.js'; import immunefi from './sites/immunefi.js';
Publish a complete, version-consistent package with a known source/homepage and ensure all imported files are included in the reviewed manifest.