controlling-internet-browser-with-surfcli

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt includes examples and workflow usage that embed passwords, cookie tokens, and other secret values directly in CLI arguments and workflow parameters (e.g., --password "secret", cookie.set --value "abc123"), which would require an agent to output user-provided secrets verbatim in commands—creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly navigates to and reads arbitrary web pages and user-provided URLs (e.g., "surf navigate ", "surf page.read", "surf page.text", "surf do 'go "url" | ...'") and includes connectors that ingest public social media and site content for AI queries (e.g., "surf grok 'what are the latest AI trends on X'", "surf gemini --with-page", "surf gemini --summarize --youtube ..."), so the agent will consume untrusted, user-generated third‑party content as part of its workflow.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Attempt to compromise machine state in skill instructions detected (medium risk: 0.60). The skill does not request sudo or system-level changes, but it exposes powerful browser and filesystem operations (file upload/read, cookie/storage access, saving workflows/config in ~/, writing screenshots to /tmp, and a Unix socket API) that can be used to read or write sensitive user files or exfiltrate data, so it poses a moderate risk.