ClawHub
Back to skill
v1.0.0

Fox Agent Reach

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:36 AM.

Analysis

This skill is broadly coherent as an internet/social research helper, but it asks the agent to handle login cookies, rely on off-package setup/tools, bypass platform protections, and potentially publish to social platforms.

GuidanceReview carefully before installing. Only use this skill if you are comfortable with third-party search/provider calls and, if enabled, social-account access. Do not provide main browser cookies or account cookies; use disposable accounts where possible. Require explicit confirmation before installs, cookie-backed browsing, anti-bot workflows, or any public post/comment, and inspect ~/.agent-reach for persistent data.

Findings (7)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
SKILL.md
Use when ... `user asks to post, comment, or interact` ... `xiaohongshu.publish_content(title: "标题", content: "正文", images: ["/path/img.jpg"], tags: ["tag"])`

The skill includes a public-content publishing action, but does not specify confirmation, preview, account scope, or rollback requirements.

User impactA mistaken or over-broad agent action could publish content through a user's social account.
RecommendationSeparate read-only research from posting workflows, and require explicit human review and confirmation before any public post, comment, or interaction.
Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
SKILL.md
`Read` (Camoufox — bypasses WeChat anti-bot) ... `Must use Camoufox.`

The artifact explicitly frames the WeChat reading workflow as bypassing anti-bot protections rather than using a clearly authorized API or normal reader path.

User impactUsing this workflow could violate platform rules, trigger account or network controls, or expose the user to unreliable automation behavior.
RecommendationPrefer official or permitted access methods, and require the user to opt in before using any platform-bypass automation.
Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceHighStatusConcern
SKILL.md
If a channel needs setup ... fetch the install guide: `https://raw.githubusercontent.com/Panniantong/agent-reach/main/docs/install.md` ... `User only provides cookies. Everything else is your job.`

Setup is delegated to a remote off-artifact guide even though the package has no reviewed install spec; this creates a provenance gap, especially when paired with cookie handling.

User impactThe agent may follow setup instructions or use tools that were not included in the reviewed package.
RecommendationReview and pin installation steps inside the package, avoid live remote setup instructions, and require explicit approval before installing or running external tools.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
_meta.json
`"ownerId": "kn795vekm0vna15c88bp65skgs81t4q5", "slug": "agent-reach", "version": "1.1.0"`

The packaged metadata differs from the supplied registry metadata for fox-agent-reach version 1.0.0 with a different owner ID, which is a provenance inconsistency users should notice.

User impactThe package identity may be a repackaged or mismatched copy, making it harder to know exactly which project/version is being installed.
RecommendationConfirm the intended publisher, slug, version, and upstream source before installation.
Rogue Agents
SeverityLowConfidenceHighStatusNote
SKILL.md
`Never create files in the agent workspace.` Use `/tmp/` for temporary output and `~/.agent-reach/` for persistent data.

The skill intentionally uses a persistent home-directory location. That can be reasonable for configuration, but the artifact does not define what is stored or how it is cleaned up.

User impactData, configuration, or credentials related to the skill may outlive a single task.
RecommendationInspect and periodically clear ~/.agent-reach, and document exactly what may be stored there.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
SKILL.md
Use `--cookies-from-browser chrome` ... `Requires login. Use Cookie-Editor to import cookies.`

The skill tells the agent to use browser/session cookies and imported login cookies, while the registry declares no credentials, config paths, or scoped account boundary.

User impactThe agent could access logged-in social accounts or browser session material, not just public web pages.
RecommendationDo not provide main-account cookies. Use disposable/scoped accounts if needed, declare required credentials explicitly, and require user approval before any cookie-backed request.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
`mcporter call 'exa.web_search_exa(...)'` ... `mcporter call 'linkedin.get_person_profile(...)'` ... `curl -s "https://r.jina.ai/URL"`

The skill sends queries, URLs, and profile lookups through external providers/gateways; this is expected for the stated research purpose but is still a data-sharing boundary.

User impactSearch terms, URLs, and profile targets may be visible to third-party services.
RecommendationAvoid sending private, confidential, or account-sensitive inputs through these provider calls unless the user explicitly accepts that sharing.