Skills
skills/zenobi-us/dotfiles/surf/Gen Agent Trust Hub

surf

Fail

Audited by Gen Agent Trust Hub on Feb 13, 2026

Risk Level: CRITICALCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis

================================================================================

🔴 VERDICT: CRITICAL

This skill presents a CRITICAL security risk primarily due to the surf js command, which allows arbitrary JavaScript execution within the context of the controlled Chrome browser. This capability can be leveraged for severe attacks, including data exfiltration of sensitive browser data (cookies, local storage, session storage) and making unauthorized network requests to attacker-controlled servers. Furthermore, the surf upload command allows the skill to upload arbitrary local files, posing a direct data exfiltration vector if the agent is prompted to upload sensitive user files. The 'surf' CLI tool itself is an unverified external dependency, introducing a supply chain risk.

Total Findings: 5

🔴 CRITICAL Findings: • Arbitrary JavaScript Execution

  • Line 238: surf js "return document.title"
  • The surf js command allows executing arbitrary JavaScript code within the browser. This can be used to read sensitive data (e.g., document.cookie, localStorage), make fetch requests to exfiltrate data, or perform other malicious actions within the user's browser session.

🔴 HIGH Findings: • Data Exfiltration via File Upload

  • Line 206: surf upload --ref e5 --files "/path/to/file.txt"
  • The surf upload command explicitly allows uploading local files. If an agent is maliciously prompted, it could be instructed to upload sensitive files (e.g., ~/.ssh/id_rsa, .env files) to an external server or a compromised web application. • Sensitive Browser Data Access
  • Line 266: surf cookie.list
  • Commands like surf cookie.list, surf cookie.get, surf history, and surf bookmarks allow access to potentially sensitive browser data (cookies, browsing history, bookmarks). While not direct exfiltration, this data could be read and then exfiltrated via other means (e.g., surf js or surf upload).

🟡 MEDIUM Findings: • Unverifiable External Dependency (surf CLI)

  • Line 1: name: surf
  • The skill relies on an external CLI tool named 'surf'. The skill description does not provide installation instructions or a source for this tool, making it an unverifiable dependency. The integrity and security of this tool cannot be assessed, introducing a supply chain risk.

🔵 LOW Findings: • Indirect Prompt Injection Risk

  • Line 1: description: Control Chrome browser via CLI for testing, automation, and debugging...
  • As a browser automation skill, it inherently processes content from external web pages. Malicious instructions could be embedded within these web pages (e.g., in hidden HTML comments or JavaScript) and inadvertently processed by the agent, leading to indirect prompt injection. This is an inherent risk of skills that interact with external, untrusted content.

================================================================================

Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 13, 2026, 08:51 AM