Back to skill
Skillv0.1.0
ClawScan security
Agent Reach · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 6, 2026, 4:48 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's purpose (web access across many platforms) matches its instructions, but the SKILL.md expects many external tools, persistent storage of cookies/tokens, and access patterns that are not declared — raising coherence and privacy concerns.
- Guidance
- This skill is plausible for multi-platform web access, but it omits key safety details. Before using/installing: (1) ask the publisher for the source repo and a full list of required binaries/versions and exact install steps; (2) do not paste full browser cookie files — prefer short-lived session tokens or OAuth where possible; (3) verify what will be stored in ~/.agent-reach and where cookies/tokens are kept and encrypted; (4) inspect the external install guide (the raw.githubusercontent.com link) before running any commands; (5) run the tooling in a sandbox or throwaway account if you must provide credentials; (6) be aware that some commands forward URLs to third-party fetchers (r.jina.ai, Camoufox), which sends your requested URLs/content to external services; (7) if you do not trust the author or cannot obtain a clear, auditable install manifest, treat this skill as unsafe to enable with real credentials.
Review Dimensions
- Purpose & Capability
- concernThe skill claims broad web/ platform access (13+ services) and the instructions show how to do that, but the package declares no required binaries, env vars, or install steps — despite relying on many external tools (mcporter, xreach, yt-dlp, gh, python libraries, npm undici, Camoufox, Cookie-Editor). This mismatch (no declared dependencies while instructing use of many CLIs/libraries) is incoherent.
- Instruction Scope
- concernSKILL.md instructs the agent to run many shell commands, to fetch content via third-party proxies (r.jina.ai), to read or import cookies, to run local Python tools (wechat reader), and to post content using local file paths. It also requires storing persistent data under ~/.agent-reach and using browser cookie exports or --cookies-from-browser, which implies access to sensitive local data. These actions go beyond a simple 'search/read' helper and are not constrained or audited by the skill metadata.
- Install Mechanism
- concernThere is no install spec, yet the guide references installing/usingmultiple third-party tools and an external install guide hosted on raw.githubusercontent.com. Because the skill relies on external binaries and packages but provides no packaged or vetted install instructions, it leaves room for ad-hoc downloads and manual installs from unverified sources.
- Credentials
- concernThe skill declares no required credentials, but its runtime instructions expect sensitive inputs: cookies, xsec_token, and potentially browser cookie access and proxy configuration. It also instructs persisting those artifacts in ~/.agent-reach. Requesting and storing such credentials is proportionate to posting/reading on logged-in sites, but the absence of any declared env/credential requirements or clear handling policies is a red flag.
- Persistence & Privilege
- notealways is false (good), but the guide explicitly directs storing persistent data in ~/.agent-reach (cookies, tools). Persisting login cookies/tokens combined with autonomous invocation increases risk if the agent performs actions without tight user approval. The skill does not request system-wide privileges or change other skills' configs.