Skills
skills/sendaifun/skills/surfpool/Gen Agent Trust Hub

surfpool

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION] (CRITICAL): Multiple documentation files (resources/cli-reference.md, resources/github-repos.md, and docs/troubleshooting.md) instruct users to execute curl -sL https://run.surfpool.run/ | bash. This pattern is an extremely dangerous vector for arbitrary code execution from an untrusted source.
  • [EXTERNAL_DOWNLOADS] (HIGH): The skill directs users to download assets and installers from run.surfpool.run and GitHub repositories under the txtx organization. Neither source is recognized as a Trusted External Source, posing a supply chain risk.
  • [COMMAND_EXECUTION] (MEDIUM): The instructions promote running high-privilege system commands such as cargo install, brew install, and docker run. These operations interact directly with the host system and should be strictly verified.
  • [EXTERNAL_DOWNLOADS] (HIGH): Automated scans detected a malicious phishing URL (anchor.se). While the exact location is not immediately apparent, the presence of such a domain in the skill context is a severe security concern.
Recommendations
  • CRITICAL: Downloads and executes remote code from untrusted source(s): https://run.surfpool.run/ - DO NOT USE
  • AI detected serious security threats
  • Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 16, 2026, 02:20 AM