surf
Fail
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: CRITICALPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection attacks because it ingests untrusted data from web pages and external AI assistants.
- Ingestion points: Untrusted content enters the agent's context through
surf page.read,surf page.text, and responses from AI services (surf chatgpt,surf gemini,surf perplexity,surf grok). - Boundary markers: Absent; the skill does not implement delimiters or specific instructions for the agent to ignore commands embedded in the retrieved web content.
- Capability inventory: The skill provides extensive capabilities including navigation, form interaction, file uploads (
upload), and JavaScript execution (js), which could be abused if an injection attack succeeds. - Sanitization: No content filtering or sanitization is mentioned in the skill definition.
- [COMMAND_EXECUTION]: The skill allows the execution of arbitrary JavaScript within the browser context using
surf jsandsurf frame.js. This is a core feature for browser automation but allows for full manipulation of the browser session by the agent or a potential attacker. - [COMMAND_EXECUTION]: The skill provides tools to access sensitive browser-level data, including cookies (
cookie.list), history (history), and bookmarks (bookmarks). This data is accessed using the user's active browser session. - [COMMAND_EXECUTION]: An automated scanner alert for 'wait.net' was investigated. No such URL exists in the skill; the alert is a likely false positive triggered by the command string 'wait.network'.
Recommendations
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata