Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Cursor2api Skill Clawhub
v1.0.2Manage and deploy cursor2api to convert Cursor IDE AI conversations into Anthropic/OpenAI API formats, including token refresh and uninstallation.
⭐ 0· 105·0 current·0 all-time
byJialin@0xcjl
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The declared goal—run a cursor2api proxy so Cursor conversations appear as Anthropic/OpenAI API calls—is consistent with the commands and files. Requiring Docker/Node and a Cursor session token is reasonable for this purpose. However the skill metadata declares no required env vars/credentials while the runtime instructions repeatedly require and use a sensitive WorkosCursorSessionToken and ANTHROPIC_API_KEY, which is an internal inconsistency.
Instruction Scope
The SKILL.md and references instruct users to extract a browser session cookie (WorkosCursorSessionToken) via DevTools and place that token into env vars or plaintext dotfiles (~/.cursor2apirc, ~/.zshrc). They also provide curl examples and an auto-refresh script that restarts a docker container with the token. This guidance involves handling and persisting a highly sensitive session cookie and suggests actions (storing tokens in shell config) that expand scope beyond a minimal proxy setup. The instructions also acknowledge ToS risk but do not provide safer alternatives.
Install Mechanism
There is no packaged install spec, but the skill's core operations rely on pulling and running a third-party Docker image (waitkafuka/cursor-api:latest). Running an unvetted container from Docker Hub can execute arbitrary code on the host. No provenance, homepage, or source repo is provided to validate that image. The included refresh script simply restarts that container (benign), but the primary runtime behavior depends on the remote image's trustworthiness.
Credentials
The metadata lists no required environment variables or primary credential, yet the documentation and commands require WORKOS_CURSOR_SESSION_TOKEN and set ANTHROPIC_API_KEY (the session token). Asking users to copy a session cookie and store it in env files or use it as an API key is high-sensitivity. The skill does not request unrelated credentials, but its handling and recommended storage of this secret (plaintext rc files, scripts) is disproportionate and risky. The instructions also recommend using the token as an API key across services and host machines (local/remote), increasing exposure.
Persistence & Privilege
The skill is instruction-only and not forced always-on. It does, however, instruct users to modify shell rc files (~/.zshrc) and create a dotfile (~/.cursor2apirc) and a script (~~/scripts/cursor-token-refresh.sh) for convenience—these are user-facing persistence recommendations (not automated by the skill). This elevates the operational footprint on the user's machine but does not request platform-level privileges or change other skills' configs.
What to consider before installing
This skill appears to do what it says, but exercise caution. Key points to consider before installing or following its instructions:
- The runtime relies on a third-party Docker image (waitkafuka/cursor-api:latest) with no source or homepage; pulling/running it may execute arbitrary code. Verify the image source or run it in an isolated VM/container environment.
- The instructions require you to extract a session cookie (WorkosCursorSessionToken) from your browser and use it as an API key. That token is highly sensitive: anyone possessing it can access your Cursor account. Avoid storing it in plaintext files or shell rc files; prefer a secure secret store, short-lived tokens, or a dedicated throwaway account if you must test.
- The skill metadata does not declare the env vars it actually uses (WORKOS_CURSOR_SESSION_TOKEN, ANTHROPIC_API_KEY). That mismatch is an incoherence—treat the provided metadata as incomplete.
- Using a session cookie as an API key and proxying Cursor traffic may violate Cursor's Terms of Service; the docs note ToS risk—review Cursor's policies first.
- If you decide to proceed: inspect the Docker image (source repo or image contents), run it on a non-production or isolated host, do not reuse high-privilege credentials, and avoid persisting tokens in plaintext.
If you want stronger assurance, ask the skill author for the image repository/source, a reproducible Dockerfile, or a signed release, and for metadata to be updated to declare the required env vars/credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97evh8mmhtcrm112ee6g7vby583j7m5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.