Oathe Security Badge

Is Panniantong/Agent-Reach safe?

https://github.com/Panniantong/Agent-Reach

78
CAUTION

Agent-Reach is a legitimate multi-platform social media research skill with well-structured Python code, security-aware credential handling (0o600 file permissions, SSRF protection in transcribe.py), and no malicious behavior observed during cloning or installation. The primary concern is an auto-update mechanism that directs the agent to fetch a remotely-controlled document (update.md on GitHub) after research tasks — this document can be modified at any time to inject arbitrary instructions without any change to the committed codebase. Secondary concerns include aggressive MUST USE directives that monopolize all internet access and collection of social media auth tokens across multiple platforms.

Category Scores

Prompt Injection 62/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (8)

HIGH Auto-Update Fetches Remotely-Controlled Document -25

After completing research tasks, the agent is instructed to run 'agent-reach check-update'. If a new version exists, the skill embeds a user-facing 'magic phrase' containing a raw GitHub URL (https://raw.githubusercontent.com/Panniantong/agent-reach/main/docs/update.md). When the user repeats this phrase, the agent fetches and acts on the content of that document. The content of update.md can be changed at any time by the repository owner without altering the committed SKILL.md, enabling persistent remote instruction injection.

MEDIUM MUST USE Directives Override Agent Judgment -13

The skill's description and body contain multiple 'MUST USE' and absolute prohibition directives ('本 skill 存在时必须用它访问这些平台,不要自己发明方案') that force the agent to route all internet research through this skill's backends, suppressing the agent's ability to use safer built-in alternatives or exercise independent judgment.

MEDIUM Collects and Stores Social Media Auth Tokens -18

The skill's cookie_extract.py and CLI handlers collect browser cookies including Twitter auth_token and ct0 tokens, Xiaohongshu web_session cookies, and other platform credentials. These are stored in ~/.config/ and ~/.agent-reach/ subdirectories. While files are written with 0o600 permissions and tests verify this, the accumulated credential store represents significant risk if the skill's backend infrastructure is compromised.

MEDIUM Configuration Guide Is a Live Remote Document -12

SKILL.md directs the agent to fetch installation guidance from https://raw.githubusercontent.com/Panniantong/agent-reach/main/docs/install.md. Like update.md, this document is remotely controlled and can be modified to include malicious instructions without any change to the committed repository.

LOW Shell Scripts Execute External Binaries -8

transcribe_xiaoyuzhou.sh orchestrates yt-dlp and ffmpeg for audio transcription. sync-upstream.sh performs git operations against upstream repositories. While no malicious behavior was detected, these scripts execute external binaries and could be modified in future commits.

LOW Routine Update Check Creates Recurring External Contact -20

The skill mandates running 'agent-reach check-update' (a GitHub API call) after every significant multi-platform research task. This creates a recurring pattern of external contact that could be used to track agent activity or as a timing oracle.

INFO Clone Behavior Within Expected Bounds -5

Network activity during clone was limited to DNS resolution and HTTPS connection to github.com (140.82.121.4:443). No unexpected endpoints contacted, no new listening services, no unexpected process spawning.

INFO Canary Files Intact; Pre-Clone Accesses From Audit Framework 0

All honeypot files (fake .env, SSH keys, AWS credentials, npmrc, Docker config, GCloud creds) were accessed at 22:46:23 but confirmed intact. Timing analysis shows these accesses occurred 6 seconds before the git clone and are attributable to the audit framework's honeypot setup, not the skill.