Cursor CLI Headless
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: cursor-cli-headless Version: 1.1.0 The skill bundle wraps the Cursor CLI, designed for automated code changes and file modifications, which inherently involves significant file system access. The `scripts/run-task.sh` script passes user-controlled prompts directly to the `agent` CLI. While the wrapper script itself is robust against shell injection, this design exposes the underlying `agent` CLI to potential prompt injection attacks, where a malicious prompt could coerce the AI agent into unintended or harmful actions (e.g., writing to sensitive system paths). Additionally, both `SKILL.md` and `scripts/run-task.sh` recommend/require installing the Cursor CLI via `curl https://cursor.com/install -fsS | bash`, a high-risk method for installing software by executing arbitrary code from the internet. There is no evidence of intentional malicious behavior within this skill bundle itself, but it facilitates risky operations.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A delegated Cursor run may change files in the selected project automatically.
The wrapper enables Cursor CLI's force mode by default, allowing the headless agent to modify files without an interactive review step.
FORCE=true ... [[ "$FORCE" == true ]] && CMD+=(--force)
Use --no-force for review-only runs, choose the working directory carefully, and run from a version-controlled workspace so changes can be inspected or reverted.
Runs will consume and act under the user's Cursor account or API key.
The skill requires Cursor account authentication, which is expected for Cursor CLI usage, but gives the invoked CLI access under the user's Cursor identity.
Set `CURSOR_API_KEY` in the environment for scripts, or run `agent login` interactively once.
Use an appropriate Cursor account or scoped key where available, avoid exposing credentials in shared shells/logs, and confirm you trust the Cursor CLI installation.
If the remote installer or network path were compromised, the install command could run unwanted code locally.
The documented install path pipes a remote installer directly into a shell. This is disclosed and points to Cursor's domain, but it still requires trusting the downloaded installer.
install: `curl https://cursor.com/install -fsS | bash`
Prefer official Cursor installation instructions, verify the URL, and inspect installer contents first if operating in a sensitive environment.
Sensitive code, prompts, paths, or generated file text may be visible wherever stdout is stored or forwarded.
The documented stream-json output can include retrieved file contents and tool-call details. The wrapper streams raw NDJSON to stdout, so project content may appear in logs or downstream consumers.
tool_call.readToolCall.result.success → `{ "content": "...", "isEmpty": false, ... }`Do not pipe default streamed output to shared logs for sensitive repositories; consider --no-stream with text/json output when less verbose output is sufficient.