ClawHub

Cursor CLI Headless

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Cursor CLI automation wrapper that can edit files by default, so it is acceptable but should be used only in intended workspaces.

Install only if you intend to delegate code work to Cursor CLI. Run it from a clean, version-controlled project directory, use `--no-force` when you want review before edits, protect Cursor credentials, and avoid sending streamed output to shared logs for sensitive repositories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill exposes shell-capable behavior through a wrapper script and CLI execution but does not declare corresponding permissions or clearly bound its execution scope. This can cause users or enforcement systems to underestimate the skill's ability to run commands and modify the local environment, increasing the chance of unsafe use.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The invocation description is very broad and overlaps with ordinary coding, refactoring, review, and analysis requests, which makes it easy for the skill to be selected in situations beyond its narrowly intended use. Because this skill delegates to a headless CLI agent with file-modifying capability, overbroad routing increases the risk of unintended code changes or command execution.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document states that file modifications are enabled by default and recommends keeping them on, without a prominent warning that the skill can alter repository contents automatically. In a headless automation context, this creates a substantial risk of unintended or destructive code changes being applied without sufficient review.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script defaults to FORCE=true and advertises '--force' as the default, meaning a headless coding agent is allowed to modify files unless the caller explicitly opts out. In the context of an automation wrapper for an LLM-powered agent, this increases the chance of unintended or unsafe code changes, especially when prompts, working directories, or task files are provided non-interactively.

External Script Fetching

High
Category
Supply Chain
Content
## Prerequisites

- **Cursor CLI installed**: Run `agent --version`. If missing, install: `curl https://cursor.com/install -fsS | bash` (macOS/Linux/WSL) or see [Installation](https://cursor.com/docs/cli/installation).
- **Authenticated**: Set `CURSOR_API_KEY` in the environment for scripts, or run `agent login` interactively once. Check if already logged in with `agent status` or `agent whoami`.

## Quick start
Confidence
97% confidence
Finding
curl https://cursor.com/install -fsS | bash

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal