Surf Skill — One Skill, All Crypto Data
Fail
Audited by Snyk on Apr 7, 2026
Risk Level: CRITICAL
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs embedding user API keys in commands (e.g.,
surf auth --api-key sk-xxxandexport SURF_API_KEY=<your-api-key>) and to accept/save user-provided keys, which requires the agent to handle and output secret values verbatim, creating an exfiltration risk.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.85). The set is suspicious because it includes a direct install.sh shell script (agent.asksurf.ai/cli/releases/install.sh) that the prompt tells users to curl | sh — a high-risk pattern that can execute arbitrary code from an external/relatively unknown domain (the API and landing pages themselves are not direct downloads but belong to the same issuer, increasing risk if the issuer is untrusted).
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.80). The skill's required workflow explicitly fetches and ingests open/public third-party content (e.g., the Domain Guide and examples: "social" — Twitter/X profiles/posts like
surf social-user --handle ..., and "web" — "Fetch/parse any URL"), so the agent will read untrusted, user-generated web/social content as part of its operation, which could contain instructions that materially influence behavior.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill's setup instructs running curl -fsSL https://agent.asksurf.ai/cli/releases/install.sh | sh, which downloads and immediately executes remote shell code as part of the required Surf CLI installation, so it is a remote dependency that executes code.
Issues (4)
W007
HIGHInsecure credential handling detected in skill instructions.
E005
CRITICALSuspicious download URL detected in skill instructions.
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata