deep-research-surf

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly requires subagents to return "full extracted content" from web crawls and repositories (README, commits, config files, etc.) and to include quotes/data from sources without any redaction guidance, which would force the agent to output any secrets or API keys found verbatim and therefore creates a high exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly directs the agent and spawned subagents to use Surf MCP primitives to search and crawl public web sources (web, GitHub, Reddit, Twitter/X, YouTube subtitles) and Stage 2 requires full extraction of Reddit threads, tweets, web pages and GitHub repos, which are untrusted third-party/user-generated contents that the agent must read and use to drive decisions and synthesis—exposing it to indirect prompt injection.