Surfline (public)
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: surfline Version: 0.1.0 The skill's code and documentation are clearly aligned with its stated purpose of fetching public surf forecasts from Surfline. It uses standard Python libraries for network requests to `https://services.surfline.com` and for local caching in `~/.cache/surfline`. Configuration is read from `~/.config/surfline/favorites.json`. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts against the agent in SKILL.md. All observed behaviors are benign and expected for a skill of this type.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your searched spot names or Surfline spot IDs are sent to Surfline to retrieve forecast data.
The scripts send user-supplied search terms and spot IDs to Surfline over HTTPS. This is disclosed, limited to public GET-style forecast/search endpoints, and matches the skill's purpose.
BASE = "https://services.surfline.com" ... url = f"{BASE}/search/site?q={q}" ... urllib.request.urlopen(req, timeout=timeout)Use the skill for surf lookups you are comfortable sending to Surfline, and avoid entering unrelated private text as a search query.
Local cache files may reveal which surf spots were searched or reported.
Forecast and search responses are cached locally in the user's home directory, so spot-related lookup history can persist between runs; the path is scoped and configurable.
CACHE_DIR = Path(os.environ.get("SURFLINE_CACHE_DIR", str(Path.home() / ".cache" / "surfline"))) ... p.write_text(json.dumps(data), encoding="utf-8")If this location-preference history matters, clear ~/.cache/surfline periodically or set SURFLINE_CACHE_DIR to a location you manage.