Surf Skill — One Skill, All Crypto Data

Fail

Audited by Snyk on Apr 7, 2026

Risk Level: CRITICAL
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs embedding user API keys in commands (e.g., surf auth --api-key sk-xxx and export SURF_API_KEY=<your-api-key>) and to accept/save user-provided keys, which requires the agent to handle and output secret values verbatim, creating an exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

  • Suspicious download URL detected (high risk: 0.85). The set is suspicious because it includes a direct install.sh shell script (agent.asksurf.ai/cli/releases/install.sh) that the prompt tells users to curl | sh — a high-risk pattern that can execute arbitrary code from an external/relatively unknown domain (the API and landing pages themselves are not direct downloads but belong to the same issuer, increasing risk if the issuer is untrusted).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.80). The skill's required workflow explicitly fetches and ingests open/public third-party content (e.g., the Domain Guide and examples: "social" — Twitter/X profiles/posts like surf social-user --handle ..., and "web" — "Fetch/parse any URL"), so the agent will read untrusted, user-generated web/social content as part of its operation, which could contain instructions that materially influence behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 1.00). The skill's setup instructs running curl -fsSL https://agent.asksurf.ai/cli/releases/install.sh | sh, which downloads and immediately executes remote shell code as part of the required Surf CLI installation, so it is a remote dependency that executes code.

Issues (4)

W007
HIGH

Insecure credential handling detected in skill instructions.

E005
CRITICAL

Suspicious download URL detected in skill instructions.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata
Risk Level
CRITICAL
Analyzed
Apr 7, 2026, 12:18 AM
Issues
4
Security Audit — snyk — Surf Skill — One Skill, All Crypto Data