surf
Fail
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructs the agent to install a CLI tool by piping a remote script to the shell:
curl -fsSL https://agent.asksurf.ai/cli/releases/install.sh | sh. This pattern allows the execution of unverified code from an external server directly into the environment. - [COMMAND_EXECUTION]: The skill uses the
bashtool to execute a wide range of CLI commands, manage system configurations, and write files to the local filesystem (e.g., logging API feedback to~/.surf/api-feedback/). - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it fetches and processes content from untrusted external sources.
- Ingestion points: External data enters the agent's context through tools like
surf web(which parses any URL),surf news(articles), andsurf social-user(social media profiles and posts). - Boundary markers: The instructions lack delimiters or safety markers to differentiate between legitimate data and potential instructions embedded within the fetched content.
- Capability inventory: The agent has persistent access to the
bashtool, enabling it to execute commands or modify files based on instructions found in the ingested data. - Sanitization: No sanitization, validation, or filtering mechanisms are described for handling the external data before it is presented to the model.
Recommendations
- HIGH: Downloads and executes remote code from: https://agent.asksurf.ai/cli/releases/install.sh - DO NOT USE without thorough review
Audit Metadata