ClawHub

Gate Cursor One-Click Installer (MCP + Skills)

Security checks across malware telemetry and agentic risk

Overview

This installer largely does what it claims, but it makes broad lasting Cursor changes, fetches unpinned remote skills, and can place trading credentials in local config.

Review before installing. Prefer selecting only the MCPs you actually need, consider using --no-skills, back up ~/.cursor/mcp.json and ~/.cursor/skills first, and avoid entering trading-enabled Gate API keys unless you specifically need trading through Cursor.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill claims to be an installer, but its documented behavior includes cloning remote content, installing all skills by default, modifying persistent Cursor configuration, and handling sensitive API credentials. That gap matters because users may consent to a simple setup action without realizing they are granting broad persistence, remote code/content ingestion, and credential storage into local config.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script comment explicitly states that the DEX MCP uses a fixed x-api-key, indicating installation of a service credential not derived from the user's own setup. Hard-coded shared credentials are dangerous because they bypass per-user authorization boundaries, can expose users to abuse or throttling tied to someone else's key, and may embed a secret that should not be distributed in client-side installer logic.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
Although presented as a Cursor installer, the script clones a remote repository and installs all skills by default, substantially expanding the trust boundary beyond the advertised action. This is risky because it pulls executable or instruction-bearing content from a mutable remote source at install time, increasing supply-chain exposure and enabling unexpected capabilities to be added to the user's environment.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The installer attempts `npm install -g npx`, which modifies the host's global package state without an explicit confirmation step. Automatic global installs are dangerous because they can change system behavior, require elevated privileges, and introduce supply-chain risk from external registries during what appears to be a local configuration step.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script reads API credentials from environment variables and injects them directly into the generated MCP config file, which creates a new at-rest copy of sensitive secrets. This is dangerous because config files are often readable by other local processes, accidentally committed to source control, included in backups, or exposed through support bundles and logs.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill instructs writing a fixed DEX API key directly into the user's persistent mcp.json. Embedding a shared or hardcoded credential is unsafe because it can enable unauthorized use, make attribution impossible, and expose users to service abuse or unexpected data sharing without informed consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script unconditionally removes existing skill directories and replaces them with freshly copied content, with no backup or confirmation. This can destroy local modifications, overwrite trusted versions with newly fetched remote content, and makes rollback difficult if the fetched repository is malicious or broken.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code silently copies sensitive environment credentials into the output configuration without any user-facing warning or confirmation. In an installer context, this increases the chance that users unknowingly leave exchange API credentials in plain JSON on disk, where they may later be exfiltrated or mishandled.

Session Persistence

Medium
Category
Rogue Agent
Content
- If the user does not specify which MCPs → install all: `main`, `cex-public`, `cex-exchange`, `dex`, `info`, `news`.
- If the user specifies "only install xxx" → install only the specified MCPs.

### 2. Write Cursor MCP Config

- Config file: `~/.cursor/mcp.json` (Windows: `%APPDATA%\Cursor\mcp.json`).
- If it already exists, **merge** into the existing `mcpServers`; do not overwrite other MCPs.
Confidence
91% confidence
Finding
Write Cursor MCP Config - Config file: `~/.cursor/mcp.json` (Windows: `%APPDATA%\Cursor\mcp.json`). - If it already exists, **merge** into the existing `mcpServers`; do not overwrite other MCPs. - Co

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal