Skillv1.0.0

ClawScan security

Agent Reach Setup · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 7, 2026, 7:42 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is coherent with installing and configuring Agent Reach, but it instructs installing code directly from a GitHub archive (pip URL) and uses --break-system-packages (which can override system package protections); the package source is not authoritative in the registry metadata and several runtime commands assume/launch other CLIs and credentials not declared in metadata.
Guidance: This skill appears to do what it says (install and configure Agent Reach) but it installs a Python package directly from a GitHub archive and uses --break-system-packages, which can override system package protections. Before running it: 1) Verify the upstream repository (https://github.com/Panniantong/agent-reach) and inspect its code/release history; 2) Prefer installing in an isolated environment (virtualenv, venv, or container) rather than system Python; avoid running pip with --break-system-packages on a managed system; 3) Don't run install.sh as root; review the install.sh contents (it is short) and the upstream package for any network callbacks or credential collection; 4) Be aware the skill expects other CLIs (yt-dlp, xreach, mcporter) and may ask you to paste cookies or proxy credentials — only provide secrets you trust the upstream to need; 5) If you cannot verify the upstream source, consider manual installation steps from the upstream repo or decline installation. If you want higher assurance, ask the publisher for a provenance link (official homepage or release tag) and for signed releases or checksums.

Review Dimensions

Purpose & Capability: noteThe name/description match the files and instructions: the package installs an 'agent-reach' Python tool and configures channels. However the skill relies on several external CLIs and services (mcporter, yt-dlp, xreach, agent-reach itself, mcporter endpoints) that are not declared as required binaries in the metadata. The SKILL.md and examples assume these tools are present or will be installed, which is a gap between declared requirements and actual runtime needs.
Instruction Scope: concernRuntime instructions and install.sh run pip install from a GitHub archive, invoke agent-reach install/doctor, and run mcporter config add. They also show examples that accept/provide credentials (proxy with user:pass, twitter cookies) and call many external CLIs (yt-dlp, xreach, curl). The install script and SKILL.md instruct actions that can change the environment and may require secrets, but the skill metadata does not declare those binaries or secret inputs. Using --break-system-packages broadens the scope of changes (it can override system package protection).
Install Mechanism: concernThere is no formal install spec in the registry; instead an included install.sh performs pip install pointing at a GitHub archive URL (https://github.com/Panniantong/agent-reach/archive/main.zip). Installing arbitrary code from a GitHub archive is common but inherently risky if the upstream is not trusted. The script also uses --break-system-packages, which can force package modifications in managed environments and is a potentially dangerous flag. The GitHub archive URL itself is a known host (GitHub) — better than a personal server — but the registry provides no homepage or verified source, so users must trust the referenced repository separately.
Credentials: noteThe skill declares no required environment variables or credentials, which aligns with metadata. However examples and instructions show optional use of credentials (proxy URL with user:pass, 'twitter-cookies' pasted string) and the skill config references external APIs (https://mcp.exa.ai/mcp and multiple localhost endpoints). Those are optional but the metadata does not surface them; users should be aware they may need to provide sensitive values during setup or runtime.
Persistence & Privilege: okThe skill is not 'always' enabled, does not request system-wide configuration changes beyond installing packages and writing to user-home paths defined in config.json. It does not declare modifications to other skills or system agent settings. Autonomous invocation is allowed by default (normal), but that combined with installing external code increases the attack surface.