Developer Agent

This skill mostly does what it says (orchestrating development with Cursor and git), but there are gaps and privacy risks you should consider before enabling it: - Confirm where 'Cursor' runs and who/what can access data forwarded to it. The skill instructs sending ALL user-provided links and attachments to Cursor — that can leak sensitive files or secrets if those attachments contain credentials or private data. - The SKILL.md instructs running git and pnpm commands, but the metadata declares no required binaries. Ensure the agent environment actually has git and pnpm available and that the agent is only given access to repositories you are comfortable sharing. - The rule 'Respect Cursor’s output — Never modify' prevents sanitization of Cursor-generated plans. If Cursor might echo secrets or sensitive file contents, you lose an opportunity to redact them. - If you plan to use this skill on private or sensitive codebases, test it first in a sandbox repository. Restrict the agent's repository access and avoid sending confidential attachments. - Ask the skill author (or registry maintainer) to: (1) declare required binaries (git, pnpm), (2) document where Cursor executions occur and who controls those models/hosts, and (3) clarify whether attachments are stored or relayed outside your environment. If the author can confirm Cursor is an internal, trusted component and update metadata to list required tools, the concerns become minor. Without that info, treat this as potentially exposing sensitive artifacts and proceed cautiously.