The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill instructs the agent to run 'surf install' at the start of every session to update the CLI binary from a remote source. It also specifies the use of 'npx skills check asksurf-ai/surf-skills', which downloads and executes code from the npm registry.
[PROMPT_INJECTION]: The skill contains logic to modify the project's 'AGENTS.md' or 'CLAUDE.md' files to inject a 'Surf routing' block. These instructions command the agent to 'try Surf first' and prioritize it over other tools, which overrides standard model reasoning and tool selection logic. Additionally, the skill is vulnerable to indirect prompt injection:
Ingestion points: Data from the 'surf' CLI which is fetched from external APIs.
Boundary markers: Includes a 'Data Boundary' section warning the agent that API responses are untrusted.
Capability inventory: Usage of the 'bash' tool for command execution and filesystem access.
Sanitization: No evidence of structured schema validation or sanitization of external output before processing.
[DATA_EXFILTRATION]: The 'surf feedback' command transmits the last 10 turns of the conversation context to the vendor's domain. While the instructions state the agent should ask for user consent, this mechanism facilitates the transfer of potentially sensitive chat history to an external party. Furthermore, the 'web-fetch' domain allows fetching content from any user-supplied URL.
[COMMAND_EXECUTION]: The skill makes extensive use of the 'bash' tool for managing the CLI environment, executing binary updates, writing to project metadata files, and performing git operations.
[EXTERNAL_DOWNLOADS]: The skill directs the agent to download updates and configuration from external sources including 'agents.asksurf.ai' and 'raw.githubusercontent.com'.

surf