Surge Download Manager

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Surge download-manager helper with disclosed server and token features, but users should manage downloads, disk space, and tokens carefully.

Install only from the official Surge source, choose output folders deliberately, monitor disk space for batch downloads, avoid downloading from untrusted URLs, keep API tokens private, expose remote hosts only on trusted networks, and stop the server mode when downloads are complete.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The skill instructs users to start a server/daemon and download files to disk without clearly warning that this creates persistent background activity and writes untrusted remote content locally. In an agent setting, this can normalize potentially risky actions such as fetching attacker-controlled URLs, filling disk space, or exposing remote-control functionality via host/token options without sufficient operator awareness.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal