agent-reach

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes examples and setup steps that require user cookies/tokens passed directly in CLI calls (e.g., xsec_token: "yyy", import cookies, "User only provides cookies"), which would force the agent to accept and embed secret values verbatim into commands—an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's SKILL.md explicitly instructs the agent to fetch and read content from open public sources—e.g., arbitrary web pages via curl/r.jina.ai/URL, Twitter/X (xreach tweet/search), Reddit JSON, YouTube/bilibili via yt-dlp, WeChat articles via Camoufox, XiaoHongShu/Douyin via mcporter, RSS feeds, and general web search—meaning the agent ingests untrusted, user-generated third-party content that can influence its actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly tells the agent to fetch the installation guide at runtime from https://raw.githubusercontent.com/Panniantong/agent-reach/main/docs/install.md, and that remote document would supply installation commands/instructions the agent is expected to follow (i.e., directly controlling actions and potentially causing execution of remote code).