Back to skill
Skillv1.2.0
VirusTotal security
Surf Query · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 5:24 AM
- Hash
- 7b674386bb7ac1dd204b1df4aa4d216bfb81c6917e3c5f293c35fb31d110ab5e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: surf-query Version: 1.2.0 The skill is classified as suspicious primarily due to two significant security vulnerabilities. First, the `update.sh` script performs an auto-update by directly downloading and overwriting `surf_query.py`, `skill.yml`, and `taiwan_surf_spots.json` from a GitHub repository (`https://github.com/Harperbot/openclaw-surf-query/raw/main/`). This introduces a supply chain risk, as a compromise of the GitHub repository could lead to the automatic execution of malicious code on the user's system (seen in `update.sh`, `SKILL.md`, `README.md`). Second, the `surf_query.py` script and example code in `README.md` disable SSL/TLS certificate verification (`verify=False`) when making requests to the CWA API, making these communications vulnerable to Man-in-the-Middle attacks. While the skill's stated purpose is benign and there's no direct evidence of intentional malice (e.g., data exfiltration to unauthorized endpoints, explicit prompt injection against the agent), these vulnerabilities present significant security risks.
- External report
- View on VirusTotal