Surf Query

Security checks across malware telemetry and agentic risk

Overview

The surf lookup function is coherent, but the package includes an unverified self-updater and disables TLS verification while using an API key, so it belongs in Review before installation.

Install only if you are comfortable auditing or disabling update.sh. Prefer platform-reviewed or pinned updates, avoid running the updater from cron, use a low-privilege CWA API key, and treat parking lookup as execution of a separate installed skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (11)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: if not parking_script.exists(): return "（停車查詢 skill 未安裝）" try: result = subprocess.run( [python, str(parking_script), "--lat", str(lat), "--lon", str(lon), "--mode", "realtime"], capture_output=True, text=True, timeout=30 )
Confidence: 92% confidence
Finding: result = subprocess.run( [python, str(parking_script), "--lat", str(lat), "--lon", str(lon), "--mode", "realtime"], capture_output=True, text=True, timeout=30 )

Lp3

Medium

Category: MCP Least Privilege
Confidence: 83% confidence
Finding: The skill advertises network, environment-variable, and shell-related capabilities but does not declare permissions, which undermines sandboxing and user/admin review. In this context, the skill also includes installation and restart instructions and the broader analysis indicates additional update behavior elsewhere, making undeclared capabilities more concerning because operators may grant trust without understanding the actual execution surface.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 91% confidence
Finding: A description-behavior mismatch is a real security issue because it prevents informed consent: users think they are installing a surf-information skill, while the codebase reportedly also contains self-update functionality that fetches and replaces local code from GitHub. That creates a supply-chain and remote code modification risk, especially dangerous for a skill with network and shell capabilities, because future behavior can change beyond what the original description disclosed.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: This skill delegates functionality to another local skill without establishing trust guarantees for that dependency. In an agent-skill ecosystem, local skills are potentially adversarial or replaceable, so invoking one transitively expands the attack surface and can expose the caller to arbitrary code execution or unsafe outputs.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The script downloads executable skill code and related files directly from a remote GitHub repository and replaces local files without any authenticity verification such as signature checking, pinned commit hashes, or checksum validation. This creates a supply-chain compromise path: if the repository, branch, or network path is tampered with, arbitrary code can be delivered and later executed by the host environment.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: An automatic self-update mechanism is not required for the stated surf-information functionality and materially expands the skill's attack surface. Because it fetches and installs new code from a remote source, the skill can change behavior after review, undermining trust boundaries and enabling persistent malicious updates if the upstream source is compromised.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger phrase "衝浪" is broad enough to match ordinary conversation about surfing, which can cause the skill to activate outside a clearly intended tool-use context. This creates unintended invocation risk and may lead to unnecessary location-based or external-data queries, though the skill itself appears informational rather than overtly dangerous.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger "surf" is highly generic and may appear in unrelated English text, causing accidental activation of this skill. In multi-language chat environments, such broad matching increases collision risk with normal conversation and can reduce user control over when the tool runs.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script silently overwrites local skill files with remotely downloaded replacements and provides only status messages, not informed user or administrator consent. This makes unauthorized or unexpected code changes easier to introduce and harder to detect, especially in unattended cron execution, increasing the likelihood of persistent compromise or operational breakage.

Unsafe Defaults

Medium

Category: Tool Misuse
Content: r = requests.get( "https://opendata.cwa.gov.tw/api/v1/rest/datastore/W-C0034-005", params={"Authorization": KEY}, verify=False # CWA 憑證缺 SKI，Python 3.12+ 需加此參數 ) data = r.json() cyclones = data["records"]["TropicalCyclones"]["TropicalCyclone"]
Confidence: 98% confidence
Finding: verify=False

Unsafe Defaults

Medium

Category: Tool Misuse
Content: r = requests.get( "https://opendata.cwa.gov.tw/api/v1/rest/datastore/W-C0051-001", params={"Authorization": KEY}, verify=False ) ```
Confidence: 97% confidence
Finding: verify=False

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal