← Back to Skills Marketplace
1450
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install raysurfer
Description
Cache and reuse code from prior AI agent executions via Raysurfer. Search before coding, upload after success.
Usage Guidance
What to check before installing/using this skill:
- The SKILL.md and scripts require RAYSURFER_API_KEY even though the registry lists no required env vars — do not set a privileged or organization-wide API key until you confirm what the key can access.
- This skill will POST full file contents to https://api.raysurfer.com for uploads and may upload code from the conversation if invoked with the `upload` argument — avoid uploading proprietary, secret, or regulated code. Prefer using a restricted test key or disabling uploads until you audit it.
- Confirm the service (api.raysurfer.com) is the legitimate endpoint and review Raysurfer's privacy/security policy and retention rules (how long uploaded code is stored, who can access it, whether it is shared/public).
- If you plan to use it, require explicit user confirmation before any upload: modify the skill so the agent prompts and shows the exact file contents that will be uploaded rather than uploading automatically.
- Fix the metadata: the skill should declare RAYSURFER_API_KEY as a required environment variable/primary credential so policy/permission tooling can surface it to admins.
- Consider removing or disabling the "public snippets" header option if you want to avoid license/copyright issues, and prefer reviewing matched code before writing it to disk.
If you cannot verify the endpoint, data retention, and appropriate API key scope, treat this skill as higher-risk and do not use it with sensitive code.
Capability Analysis
Type: OpenClaw Skill
Name: raysurfer
Version: 1.0.0
This skill is classified as suspicious due to its inherent high-risk capabilities, although they align with its stated purpose. The skill instructs the AI agent to read the content of local files (code) and transmit them to an external service (api.raysurfer.com) via POST requests, as seen in `SKILL.md`, `upload.sh`, `upload.py`, and `upload.ts`. Additionally, `SKILL.md` explicitly instructs the agent to execute code retrieved from this external service, which introduces a significant supply chain risk if the external service or cached code were compromised. While these actions are central to a 'code caching' skill, they represent a broad capability for data exfiltration and arbitrary code execution, lacking clear malicious intent from the skill itself but posing a substantial security risk.
Capability Assessment
Purpose & Capability
Name/description (cache and reuse code) match the included scripts and API endpoints (search/upload/vote against https://api.raysurfer.com). However, registry metadata lists no required environment variables while SKILL.md and all helper scripts clearly require RAYSURFER_API_KEY — a metadata inconsistency that should be resolved before trust.
Instruction Scope
SKILL.md tightly describes search → use/generate → vote → upload flow which is consistent with the purpose. But it also instructs uploading the "most recently generated code in the conversation" and includes runnable scripts that read and POST file contents — behavior that can transmit local or conversational code (potentially sensitive or proprietary) to an external API. It also suggests enabling public snippet crawling (X-Raysurfer-Public-Snips: true), which may raise license/copyright concerns.
Install Mechanism
There is no remote install step or download URL — the skill is instruction+script-only and uses standard curl/urllib/fetch calls. No extract/download-from-untrusted-host behavior was found.
Credentials
Runtime requires a single Bearer token (RAYSURFER_API_KEY) according to SKILL.md and all scripts, but the registry metadata lists no required env vars or primary credential — this mismatch is problematic. Requesting one API key is proportionate for the stated service, but the omission in metadata and the scripts' ability to upload arbitrary file content elevate the risk if a privileged key is used.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system config, and has no install-time persistence. The main risk is not privilege escalation but data exfiltration via normal upload calls (user-invocation or agent-invocation can trigger uploads).
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install raysurfer - After installation, invoke the skill by name or use
/raysurfer - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of the raysurfer skill.
- Enables searching and reusing cached code from past AI executions and public code snippets.
- Allows uploading new successful code for future reuse through the Raysurfer API.
- Includes scripts for search and upload in multiple languages (Python, Bun, Bash).
- Requires the RAYSURFER_API_KEY environment variable for authentication.
- Provides detailed workflow and API usage instructions in the documentation.
Metadata
Frequently Asked Questions
What is Raysurfer Code Caching?
Cache and reuse code from prior AI agent executions via Raysurfer. Search before coding, upload after success. It is an AI Agent Skill for Claude Code / OpenClaw, with 1450 downloads so far.
How do I install Raysurfer Code Caching?
Run "/install raysurfer" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Raysurfer Code Caching free?
Yes, Raysurfer Code Caching is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Raysurfer Code Caching support?
Raysurfer Code Caching is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Raysurfer Code Caching?
It is built and maintained by ryx2 (@ryx2); the current version is v1.0.0.
More Skills