Surfline (public)
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent Surfline forecast helper that uses public no-login endpoints, with only disclosed external requests and local caching to notice.
This looks safe for public Surfline forecast use. Before installing, be aware that spot searches and spot IDs go to Surfline, and cached results may remain under ~/.cache/surfline unless you delete them or choose another cache directory.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your searched spot names or Surfline spot IDs are sent to Surfline to retrieve forecast data.
The scripts send user-supplied search terms and spot IDs to Surfline over HTTPS. This is disclosed, limited to public GET-style forecast/search endpoints, and matches the skill's purpose.
BASE = "https://services.surfline.com" ... url = f"{BASE}/search/site?q={q}" ... urllib.request.urlopen(req, timeout=timeout)Use the skill for surf lookups you are comfortable sending to Surfline, and avoid entering unrelated private text as a search query.
Local cache files may reveal which surf spots were searched or reported.
Forecast and search responses are cached locally in the user's home directory, so spot-related lookup history can persist between runs; the path is scoped and configurable.
CACHE_DIR = Path(os.environ.get("SURFLINE_CACHE_DIR", str(Path.home() / ".cache" / "surfline"))) ... p.write_text(json.dumps(data), encoding="utf-8")If this location-preference history matters, clear ~/.cache/surfline periodically or set SURFLINE_CACHE_DIR to a location you manage.