ClawHub

Use Cursor

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate Cursor/tmux helper, but it needs review because it can run trusted background agent commands through a shell and keeps authenticated tmux sessions alive.

Install only on trusted development machines and repositories where Cursor is allowed to access code. Avoid production systems, shared machines, and secret-heavy workspaces; prefer a container for sensitive work, review task text and session names carefully, and clean up tmux sessions when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
80% confidence
Finding
The FAQ says the skill does not send code to external servers, but elsewhere admits Cursor CLI may transmit data to Anthropic/Claude APIs. This misleading security claim can cause users to run the skill on sensitive code under a false privacy assumption, increasing risk of unintended data exfiltration to third-party services.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The script sends a constructed command string to a tmux shell and incorrectly treats `send-keys -l` as protection against shell interpretation. While `-l` makes tmux type the text literally, the receiving shell still parses `cd $WORKDIR` and the later `env -i ... --trust $TASK` command, so attacker-controlled values in `WORKDIR` or `TASK` can inject additional shell syntax or arguments. In this skill context, the issue is more dangerous because the script is explicitly designed to launch an agent on user-supplied tasks, increasing the likelihood that untrusted input reaches the shell.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The kill tool exposes destructive behavior with no confirmation, guardrail, or indication of which session will be terminated before execution. In an agent-tooling context, this increases the chance of accidental or prompt-induced disruption of active work, causing loss of progress or interruption of legitimate tasks.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script injects `CURSOR_API_KEY` directly into the spawned command line, which can expose the secret through process listings, tmux history/logging, shell history inside the pane, debugging output, or accidental session sharing. Although the environment is minimized, the credential is still propagated into an interactive shell context without an explicit warning or safer secret-passing mechanism. The skill context makes this moderately more dangerous because tmux sessions are long-lived and commonly inspected or shared by operators.

Session Persistence

Medium
Category
Rogue Agent
Content
use-cursor/
├── SKILL.md              # This document
├── scripts/
│   ├── spawn.sh          # Start background task
│   ├── check.sh          # Check status
│   ├── send.sh           # Send instructions
│   ├── kill.sh           # End task
Confidence
84% confidence
Finding
Start background task

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal