surf

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes many examples and workflow patterns that require embedding plaintext secrets (passwords, cookie values, --password/--value args) directly into CLI commands and workflow JSON, so an LLM orchestrating or emitting those commands would need to handle and output secrets verbatim, creating exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The surf CLI exposes powerful browser-control primitives (arbitrary JS execution, full page/frame reading, cookie/storage access, network capture/response bodies, file upload/download, and AI queries via the user's logged-in sessions) plus a programmatic Unix-socket API — combined these provide clear avenues for credential theft, data exfiltration, and a local backdoor if the socket or CLI is invoked by untrusted actors or processes.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly navigates arbitrary public URLs and ingests page content (e.g., surf navigate / surf tab.new combined with surf page.read / surf page.text, surf --with-page for AI queries, and surf grok to read X posts), so untrusted third‑party web/social content can be read and used to drive clicks, fills, workflows, or AI queries.