ClawHub

Raysurfer Code Caching

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent code-caching purpose, but it sends task text and full source files to a third-party service and encourages reuse of remotely retrieved code without enough user control.

Install only if you are comfortable sending task descriptions and selected source files to Raysurfer. Avoid using it on private, regulated, customer, or secret-bearing code unless you have reviewed exactly what will be uploaded and understand the service's retention and sharing model. Treat cached or public snippets as untrusted code and review them before writing or running them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (18)

Tainted flow: 'req' from open (line 7, file read) → urllib.request.urlopen (network output)

High
Category
Data Flow
Content
}).encode(),
    headers={"Authorization": f"Bearer {os.environ['RAYSURFER_API_KEY']}", "Content-Type": "application/json"},
)
with urllib.request.urlopen(req) as resp:
    print(json.dumps(json.loads(resp.read()), indent=2))
Confidence
97% confidence
Finding
with urllib.request.urlopen(req) as resp:

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly describes uploading recently generated code to a remote cache, but it does not warn users that local code artifacts may be transmitted to a third-party service or discuss privacy, confidentiality, or consent implications. In an agent skill context, this is risky because generated code can include proprietary logic, secrets, internal paths, or sensitive snippets from prior tasks, and documentation that normalizes upload behavior without disclosure increases the chance of unintentional data exfiltration.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs uploading full generated file contents to a third-party API but does not require explicit user consent or warn that proprietary code, secrets, or sensitive business logic may be disclosed. In an agent setting, this can silently exfiltrate confidential source code produced during the session.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The API reference documents an endpoint that uploads full task descriptions and full file contents to a third-party service, but it does not warn users that potentially sensitive source code and prompts leave the local environment. In an agent skill context, this omission is security-relevant because users may unknowingly transmit proprietary code, secrets, or regulated data to a remote cache service.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script sends user-provided task text to an external service and authenticates with an API key, but provides no disclosure, consent, or safeguards around what may be transmitted. In an agent-skill context, task prompts can contain sensitive code, secrets, internal paths, or business context, so silently exfiltrating them to a third party creates a real confidentiality risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends the user's task description to a third-party service and authenticates with an API key, but provides no warning, consent prompt, or disclosure about what data leaves the environment. In an agent-skill context, task descriptions can contain proprietary code, secrets, internal architecture, or sensitive prompts, so silent exfiltration to an external service is a real privacy and security risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends the user-provided task string to a third-party service at api.raysurfer.com without any consent prompt, warning, or data minimization. In an agent workflow, task descriptions often contain proprietary code context, internal file paths, or sensitive business details, so this creates a real data exfiltration/privacy risk even if the feature is intentional.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code transmits both the user-supplied task description and file contents to an external API, but the script itself provides no runtime warning, consent prompt, or safeguard to ensure the operator understands that local data is leaving the environment. In a caching skill, this behavior is core functionality, but the lack of disclosure and friction materially increases the risk of accidental sensitive-data exfiltration.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script reads an arbitrary local file, packages its full contents, and uploads it to a third-party API using an API key, but provides no disclosure, confirmation, allowlist, or data-sensitivity checks. In an agent-skill context, this creates a real exfiltration risk because users or downstream automation may invoke it on sensitive source files, configs, or secrets without understanding they are being transmitted externally.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This script reads an arbitrary local file from a user-supplied path and sends its full contents to a remote third-party API. In an agent skill context, that creates a real exfiltration risk because agents may upload source code, credentials, proprietary data, or other sensitive files without any validation, consent flow, or restriction on what paths may be sent.

Ssd 3

High
Confidence
99% confidence
Finding
The skill creates a direct exfiltration path by telling the agent to upload full generated code and, when invoked with 'upload', to use the most recently generated code from the conversation. That broad instruction can capture sensitive code or user-derived content without adequate scope checks, provenance checks, or consent boundaries.

External Transmission

Medium
Category
Data Exfiltration
Content
task = sys.argv[1] if len(sys.argv) > 1 else "Parse a CSV file and generate a bar chart"
req = urllib.request.Request(
    "https://api.raysurfer.com/api/retrieve/search",
    data=json.dumps({"task": task, "top_k": 5, "min_verdict_score": 0.3}).encode(),
    headers={"Authorization": f"Bearer {os.environ['RAYSURFER_API_KEY']}", "Content-Type": "application/json"},
)
Confidence
82% confidence
Finding
https://api.raysurfer.com/

External Transmission

Medium
Category
Data Exfiltration
Content
#!/usr/bin/env bash
# Search Raysurfer cache. Usage: bash search.sh "task description"
TASK="${1:-Parse a CSV file and generate a bar chart}"
curl -s -X POST https://api.raysurfer.com/api/retrieve/search \
  -H "Authorization: Bearer $RAYSURFER_API_KEY" \
  -H "Content-Type: application/json" \
  -d "{\"task\": \"$TASK\", \"top_k\": 5, \"min_verdict_score\": 0.3}" | python3 -m json.tool 2>/dev/null
Confidence
87% confidence
Finding
curl -s -X POST https://api.raysurfer.com/api/retrieve/search \ -H "Authorization: Bearer $RAYSURFER_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
#!/usr/bin/env bash
# Search Raysurfer cache. Usage: bash search.sh "task description"
TASK="${1:-Parse a CSV file and generate a bar chart}"
curl -s -X POST https://api.raysurfer.com/api/retrieve/search \
  -H "Authorization: Bearer $RAYSURFER_API_KEY" \
  -H "Content-Type: application/json" \
  -d "{\"task\": \"$TASK\", \"top_k\": 5, \"min_verdict_score\": 0.3}" | python3 -m json.tool 2>/dev/null
Confidence
87% confidence
Finding
https://api.raysurfer.com/

External Transmission

Medium
Category
Data Exfiltration
Content
TASK="${1:?Usage: upload.sh <task> <file>}"
FILE="${2:?Usage: upload.sh <task> <file>}"
CONTENT=$(cat "$FILE" | python3 -c "import sys,json; print(json.dumps(sys.stdin.read()))")
curl -s -X POST https://api.raysurfer.com/api/store/execution-result \
  -H "Authorization: Bearer $RAYSURFER_API_KEY" \
  -H "Content-Type: application/json" \
  -d "{\"task\": \"$TASK\", \"file_written\": {\"path\": \"$(basename "$FILE")\", \"content\": $CONTENT}, \"succeeded\": true, \"auto_vote\": true}" | python3 -m json.tool 2>/dev/null
Confidence
87% confidence
Finding
curl -s -X POST https://api.raysurfer.com/api/store/execution-result \ -H "Authorization: Bearer $RAYSURFER_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
TASK="${1:?Usage: upload.sh <task> <file>}"
FILE="${2:?Usage: upload.sh <task> <file>}"
CONTENT=$(cat "$FILE" | python3 -c "import sys,json; print(json.dumps(sys.stdin.read()))")
curl -s -X POST https://api.raysurfer.com/api/store/execution-result \
  -H "Authorization: Bearer $RAYSURFER_API_KEY" \
  -H "Content-Type: application/json" \
  -d "{\"task\": \"$TASK\", \"file_written\": {\"path\": \"$(basename "$FILE")\", \"content\": $CONTENT}, \"succeeded\": true, \"auto_vote\": true}" | python3 -m json.tool 2>/dev/null
Confidence
87% confidence
Finding
https://api.raysurfer.com/

External Transmission

Medium
Category
Data Exfiltration
Content
const [task, filepath] = [process.argv[2], process.argv[3]];
if (!task || !filepath) { console.error("Usage: bun upload.ts <task> <file>"); process.exit(1); }
const content = readFileSync(filepath, "utf-8");
const resp = await fetch("https://api.raysurfer.com/api/store/execution-result", {
  method: "POST",
  headers: { Authorization: `Bearer ${process.env.RAYSURFER_API_KEY}`, "Content-Type": "application/json" },
  body: JSON.stringify({ task, file_written: { path: basename(filepath), content }, succeeded: true, auto_vote: true }),
Confidence
95% confidence
Finding
fetch("https://api.raysurfer.com/api/store/execution-result", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
const [task, filepath] = [process.argv[2], process.argv[3]];
if (!task || !filepath) { console.error("Usage: bun upload.ts <task> <file>"); process.exit(1); }
const content = readFileSync(filepath, "utf-8");
const resp = await fetch("https://api.raysurfer.com/api/store/execution-result", {
  method: "POST",
  headers: { Authorization: `Bearer ${process.env.RAYSURFER_API_KEY}`, "Content-Type": "application/json" },
  body: JSON.stringify({ task, file_written: { path: basename(filepath), content }, succeeded: true, auto_vote: true }),
Confidence
95% confidence
Finding
https://api.raysurfer.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal