Back to skill
Skillv1.0.2
ClawScan security
Cursor Agent for OpenClaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 7, 2026, 7:21 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill appears to do what it says (wrap the Cursor Agent CLI), but there are inconsistencies between the SKILL.md safety requirements and the declared metadata — and the script relies on a local CLI and uses flags that could apply changes — so proceed with caution.
- Guidance
- This skill is a wrapper for the Cursor 'agent' CLI and the included script defaults to read-only, which is appropriate. However: (1) the SKILL.md insists it must not be run autonomously, but the skill metadata allows autonomous invocation — confirm the platform will not call it without explicit user approval. (2) The registry metadata omitted the 'agent' binary requirement — ensure you have the official Cursor CLI installed from cursor.com before using. (3) The script can run in a 'write' mode and uses flags (--force, --trust) that apply changes; the script does not itself prompt for confirmation, so only invoke 'write' after you (or your agent platform) gets explicit user consent. (4) Be cautious with any '--cloud' mode: it will send repo contents to cursor.com — do not use for sensitive/private repos unless you accept that. If you need this skill, request the publisher update metadata to declare the 'agent' binary requirement and to mark the skill as non-autonomous (or ensure the platform enforces the SKILL.md consent rules) before installing.
Review Dimensions
- Purpose & Capability
- concernThe SKILL.md and scripts clearly require the 'agent' CLI (Cursor Agent). However the registry 'Requirements' section in the provided metadata lists no required binaries or credentials, which is inconsistent. Requiring the Cursor CLI is reasonable for the stated purpose, but the metadata omission is a mismatch that could hide setup or permission expectations.
- Instruction Scope
- concernThe SKILL.md imposes strict user-consent rules (MUST NOT be invoked autonomously, always start read-only, ask before write/cloud/commit). The included run.sh implements read/ask/plan/write modes and defaults to read-only, which aligns in spirit, but the script itself does not enforce interactive confirmation — it trusts the caller to pass 'write' only after confirmation. That puts the burden on the platform/agent to follow the SKILL.md rules; the skill does not technically enforce them.
- Install Mechanism
- okThere is no install spec (instruction-only plus a small helper script). Nothing is downloaded or executed from remote URLs. This is low install risk.
- Credentials
- okThe skill does not request environment variables, secrets, or config paths. It only invokes a local CLI and operates on a user-supplied repo path, which is proportionate to the claimed purpose.
- Persistence & Privilege
- concernThe skill metadata allows autonomous invocation (disable-model-invocation is false) while the SKILL.md explicitly states the skill MUST NOT be invoked autonomously and requires explicit user consent before any write/cloud/commit actions. This mismatch is the main privilege/behavior concern. 'always' is false, so it won't be force-included, but the ability for the agent to call it autonomously contradicts the documented safety constraints.