Is Panniantong/agent-reach safe?
https://github.com/Panniantong/agent-reach
agent-reach is a functionally legitimate multi-platform internet research skill with genuine security awareness — it includes SSRF protection, shell injection prevention, and 0600 credential file permissions confirmed in tests. However, two concerns elevate the risk profile: a live remote GitHub document (docs/update.md) that the author can modify at any time to inject adversarial instructions into future agent sessions, and a browser authentication token extraction facility that stores live social media session credentials accessible to the agent. The combination of these with mandatory external service routing and a very broad trigger surface warrants careful review before deployment.
Category Scores
Findings (9)
HIGH Live Remote Update Document Is Author-Controlled Prompt Injection Vector -20 ▶
SKILL.md instructs the agent to present users with a raw GitHub URL (docs/update.md) for updates, and to fetch docs/install.md for channel configuration. Both files are live documents exclusively controlled by the skill author. Any future modification to these files could inject adversarial instructions that the agent would interpret and execute under the guise of normal update or install flows. This is a persistent, ongoing risk that survives the initial review of the current skill content.
MEDIUM MUST USE Mandate Locks Out Alternative Internet Access Methods -15 ▶
The skill explicitly mandates that once installed, the agent must use it for all covered platforms and must not invent alternative solutions. This reduces the agent's autonomy, forces all covered internet traffic through author-controlled tooling, and could mask capability degradation or backend changes by prohibiting workarounds.
MEDIUM Browser Authentication Token Extraction and Storage -15 ▶
cookie_extract.py extracts live session credentials from the user's browser including Twitter auth_token and ct0 (which grant full account write access) and XiaoHongShu web_session tokens. While the code stores these with 0600 file permissions and test coverage confirms shell injection prevention, these tokens are high-value credentials that remain at rest in ~/.config/xfetch/session.json and ~/.config/bird/credentials.env and are fully accessible to the agent.
LOW Post-Task Version Check Enables Usage Timing Observation -10 ▶
The skill mandates running agent-reach check-update after every major multi-platform research task. This unconditionally makes a GitHub API request to the author's repository, enabling inference of when the user's agent is actively conducting research, at what frequency, and by extension patterns of use.
LOW All Research Queries Routed Through Third-Party External Services -5 ▶
The skill routes all semantic web search through Exa.ai, all web article reading through Jina Reader (r.jina.ai), and authenticated social platform access through the OpenCLI cloud service. These external parties receive the full plaintext content of user queries and target URLs for all research sessions.
LOW Shell and Subprocess Execution for Audio Transcription Workflow -18 ▶
transcribe.py and transcribe_xiaoyuzhou.sh invoke yt-dlp, ffmpeg, and external transcription APIs (Groq Whisper, OpenAI Whisper) via subprocess. The code includes SSRF protection (confirmed: rejects 169.254.169.254 metadata endpoints before invoking yt-dlp) and URL passthrough via end-of-options marker (--). This is legitimate functionality but expands the shell execution surface.
INFO Clean Clone Behavior — Only GitHub Network Connection 0 ▶
The git clone operation made a single TCP connection to 140.82.121.3:443 (GitHub CDN). No unexpected processes were spawned, no new listening ports appeared, and all filesystem writes were confined to the skill directory. Connection diff before/after shows no new persistent connections.
INFO All Canary Files Intact — No Exfiltration Detected 0 ▶
Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were read-only accessed at timestamp 1783525773, which is 6 seconds before the git clone at 1783525779. This timing and the CLOSE_NOWRITE inotify events confirm the accesses were audit infrastructure setup, not the skill. No content was transmitted externally.
MEDIUM Compounding Risk: Live Remote Instructions + Cookie Credentials + Broad Trigger Surface -40 ▶
Individually, the update document mechanism and cookie extraction are moderate concerns. Combined, they create a compounding risk profile: the skill has persistent access to live session tokens for multiple platforms, routes all queries through external services, triggers on nearly any internet-related user request, and maintains a live remote document that can inject new instructions at any time. A sophisticated attacker maintaining this skill could weaponize future docs/update.md content to exfiltrate the stored session credentials or hijack ongoing research sessions. The mandatory workspace output redirection to /tmp also reduces user visibility into skill activity.