Agent Reach Setup

Security checks across malware telemetry and agentic risk

Overview

This Agent Reach setup skill is coherent, but it asks users to run unpinned remote installation code that bypasses Python protections and includes unsafe credential examples.

Review install.sh and the Agent Reach source before installing. Prefer a virtual environment or pipx instead of --break-system-packages, pin a release or commit where possible, and do not paste real cookies or proxy passwords into shell history, logs, screenshots, or shared terminals.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (9)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README directs users to make and execute an installation script immediately after cloning the repository, but does not disclose what the script changes on the local system or warn users to inspect it first. In a skill/package context, encouraging direct execution of repository-provided scripts increases supply-chain risk because users may run unreviewed code that alters configuration, installs software, or affects credentials.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The README recommends using pip install with --break-system-packages, which bypasses Python environment protections and can damage or destabilize the user's system-managed Python installation. Presenting this as a normal fix without strong warnings or safer alternatives can lead users to compromise their local environment unnecessarily.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill explicitly instructs users to install a package from a GitHub ZIP using pip with --break-system-packages, which disables Python's protections for system-managed environments. In an agent skill context, this is dangerous because it encourages unsafe installation behavior that can overwrite distro-managed packages, destabilize the host environment, and increase supply-chain risk from unpinned remote code.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The proxy example embeds credentials directly in the command line URL (http://user:pass@ip:port), which can expose secrets through shell history, process listings, logs, screenshots, or shared transcripts. In an agent-oriented skill, users may copy this pattern verbatim, making credential leakage more likely across automated environments.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script performs network package installation from a remote GitHub archive, runs an installer command with automatic environment configuration, and modifies tool configuration without any prompt, dry-run, or explanation of side effects. In an agent skill context, silent installation and configuration changes increase risk because users may execute the script expecting setup help, while it makes persistent changes and trusts remote content that can change over time.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The troubleshooting guide advises using pip with --break-system-packages, which disables Python's external package management protections and can modify system-managed environments. In a user-facing agent skill, presenting this as the default fix without a warning increases the chance of dependency conflicts or damage to the host Python installation.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The proxy example embeds credentials directly in the command line (http://user:pass@ip:port), which normalizes insecure handling of secrets. Users may paste real credentials into shell history, process listings, logs, or shared screenshots, leading to credential disclosure.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The example shows proxy credentials embedded directly in a command-line URL (`http://user:pass@ip:port`). Credentials placed in shell history, process listings, logs, screenshots, or copied docs can be exposed to other local users or monitoring systems. In agent/automation contexts, users often paste commands verbatim, increasing the chance of accidental secret disclosure.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The example instructs users to paste a raw Twitter/X cookie string without warning that cookies are bearer-style authentication secrets. If exposed via shell history, logs, clipboard sync, screenshots, or shared terminals, an attacker may be able to hijack the associated account session and access private data or act as the user.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal