ClawHub

Surf

Security checks across malware telemetry and agentic risk

Overview

Surf appears to be a legitimate crypto data skill, but it asks agents to make persistent project and home-directory changes and can send recent chat context to Surf feedback, so users should review it carefully before installing.

Install only if you are comfortable with Surf becoming a default crypto data source in projects where it runs. Decline or manually review any `AGENTS.md`/`CLAUDE.md` routing change, do not allow an automatic git commit without checking the diff, and avoid feedback submission when recent chat turns include wallet addresses, API keys, portfolio details, trading plans, or private project information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is presented as a crypto data retrieval tool, but it also instructs the agent to modify repository guidance files, create persistent state under the user's home directory, and commit changes. Those side effects materially exceed the declared purpose and could alter project behavior or source control state without a strong functional need tied to answering crypto-data queries.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The feedback workflow goes beyond crypto data access by transmitting conversation-linked feedback externally and storing issue reports locally. This expands the skill's data-handling scope and introduces privacy and persistence risks not justified by the advertised purpose of the tool.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Instructing the agent to run git add/git commit creates durable changes in the user's repository and source-control history for a non-essential purpose. This can pollute repos, trigger automation, or make unwanted policy changes appear as user-approved project changes.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Creating marker files under ~/.surf introduces persistent state outside the project for behavioral tracking ('do not ask again') and feedback storage. For a crypto query skill, this is unnecessary privilege expansion and can surprise users by writing hidden files to their home directory.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation guidance is overly broad ('use whenever the user needs crypto data... even if they don't say surf explicitly'), encouraging frequent invocation and widening exposure to the skill's side effects. Over-broad routing increases the chance the agent will run setup, persistence, or networked commands in contexts where the user did not explicitly request this tool.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill directs file creation/modification and git commits with insufficient user-facing warning about repository changes and their consequences. Even where a question is asked, the workflow is framed as recommended and culminates in an automatic commit, which is too much authority for a data skill.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The feedback flow states that the last 10 conversation turns are automatically attached, but the prompt asking for consent does not prominently warn the user that chat content will be sent externally. This creates a realistic risk of unintentional disclosure of sensitive prompts, wallet data, or operational details.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The skill directs writing issue reports to persistent local storage without a clear warning that interaction details may be retained on disk. While lower impact than external transmission, it still creates privacy and data-retention risk beyond the tool's stated purpose.

Ssd 3

Medium
Confidence
97% confidence
Finding
Automatically attaching recent conversation turns to feedback creates a direct path for exfiltrating sensitive user-provided content to an external service. In a crypto context, chats may include wallet addresses, portfolio details, trading intentions, or mistakenly pasted secrets, making the disclosure risk materially higher.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal