← 返回 Skills 市场
349
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install skill-9-0-1-0
功能描述
Give your AI agent eyes to see the entire internet. Install and configure upstream tools for Twitter/X, Reddit, YouTube, GitHub, Bilibili, XiaoHongShu, Douyi...
安全使用建议
This skill appears to do what it says (install and wire up many platform CLIs), but it asks you to: (1) pip-install a GitHub 'main' zip (un-pinned release), (2) paste or let the tool extract browser cookies (session tokens), and (3) supply and store proxy credentials and possibly other API keys in ~/.agent-reach. Before installing: (a) review the agent-reach repository source and prefer a pinned release tag rather than archive/main.zip; (b) avoid pasting cookies from your primary accounts — use dedicated throwaway/test accounts if possible; (c) if you must provide credentials, run installation in an isolated environment (VM or container) and inspect what files are written to ~/.agent-reach; (d) consider manually performing login steps rather than giving full cookie strings to the agent; and (e) if you want lower risk, do not install this on a machine containing sensitive accounts or corporate data. The metadata/instructions mismatch (declared no credentials vs. instructions requesting many secrets) is another reason to be cautious. If you want, I can list specific lines in SKILL.md that request sensitive inputs and suggest safer alternatives (pinned install command, limited-scope tokens, containerized install).
功能分析
Type: OpenClaw Skill
Name: skill-9-0-1-0
Version: 1.0.0
The skill bundle installs a toolset from a remote GitHub ZIP and provides instructions for an AI agent to manage and extract sensitive credentials, including a command to automatically extract cookies from the local Chrome browser (`agent-reach configure --from-browser chrome`). While these capabilities are framed as necessary for accessing platforms like Twitter, LinkedIn, and WeChat, the handling of raw session cookies and the requirement to install external code from an unverified repository present a high risk of credential theft and supply chain compromise (SKILL.md).
能力评估
Purpose & Capability
The name/description claim to provide access to many platforms and the SKILL.md indeed contains commands and workflows to install and configure those platform clients (xreach, yt-dlp, mcporter, etc.). That is coherent. However the registry metadata declares no required credentials/env vars while the instructions explicitly require pasting cookies, optionally API keys and proxy credentials — a mismatch between declared requirements and actual runtime needs.
Instruction Scope
Runtime instructions tell the agent to install software, extract cookies from a local browser (`--from-browser chrome`) and/or ask the user to paste full cookie header strings (session tokens), and to configure proxies (including user:pass). Those actions access highly-sensitive local secrets (browser cookies) and network credentials which are outside what an installer-only metadata declaration suggested. The instructions also ask the agent to write config and tokens into ~/.agent-reach, enabling long-lived credential storage.
Install Mechanism
There is no platform install spec in the registry, but SKILL.md instructs `pip install https://github.com/.../archive/main.zip`. Installing from a repository's 'main' archive is riskier than a pinned release (the main branch can change), and agent-reach will auto-install many dependencies (Node.js, CLIs, yt-dlp, mcporter, etc.) from unspecified sources. This increases the attack surface and supply-chain risk.
Credentials
The skill declares no required env vars or primary credential, yet the prose repeatedly requires cookies, proxy credentials, and sometimes API keys (e.g., references to an API Key in the truncated section). Requesting raw browser cookies or full proxy credentials is powerful and sensitive; such secrets are proportionate to the goal only if the user knowingly provides them for those specific platform accounts (preferably throwaway/test accounts). The mismatch between declared and actual credential needs is concerning.
Persistence & Privilege
always:false (no forced inclusion). The instructions explicitly persist configuration and tokens to ~/.agent-reach and advise using that directory for tools and tokens. Persisting credentials locally is expected for this functionality, but it amplifies risk when combined with installing unpinned code and the agent's ability to act autonomously; consider whether you want long-lived credentials stored there.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install skill-9-0-1-0 - 安装完成后,直接呼叫该 Skill 的名称或使用
/skill-9-0-1-0触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
agent-reach 1.0.0
- Initial release of agent-reach, providing setup and management tools for 13+ internet platforms.
- Supports channel installation and configuration for platforms like Twitter/X, Reddit, YouTube, GitHub, Bilibili, XiaoHongShu, Douyin, LinkedIn, Boss直聘, WeChat (公众号), RSS, and general web pages.
- Enforces dedicated directories outside the agent workspace for configs, tool repos, and temporary files.
- Setup instructions and direct usage guides for each supported upstream tool included.
- Easily configure channels via cookies, browser extraction, or proxies.
- Multi-language support for user prompts and setup guidance.
元数据
常见问题
Skill 9 0.1.0 是什么?
Give your AI agent eyes to see the entire internet. Install and configure upstream tools for Twitter/X, Reddit, YouTube, GitHub, Bilibili, XiaoHongShu, Douyi... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 349 次。
如何安装 Skill 9 0.1.0?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install skill-9-0-1-0」即可一键安装,无需额外配置。
Skill 9 0.1.0 是免费的吗?
是的,Skill 9 0.1.0 完全免费(开源免费),可自由下载、安装和使用。
Skill 9 0.1.0 支持哪些平台?
Skill 9 0.1.0 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Skill 9 0.1.0?
由 yiyi-9(@yiyi-9)开发并维护,当前版本 v1.0.0。
推荐 Skills