ClawHub
Back to skill

Security audit

cursor-agent-cli

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Cursor Agent CLI helper, but it documents powerful coding-agent modes that can change code, run unattended, or use credentials if the user chooses those options.

Install only if you intend to use Cursor Agent CLI with local code access. Verify Cursor's installer source before running pipe-to-shell commands, prefer plan or ask mode first, avoid --force/--yolo/--trust or sandbox-disabled mode in untrusted repositories or CI, keep API keys out of command history and logs, and review all generated changes before merging or deploying.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises and demonstrates shell execution capabilities via commands like exec({ command: ... }) and extensive CLI usage, but the metadata declares no explicit permissions or guardrails. This creates a mismatch between what the skill can cause an agent to do and what reviewers or orchestrators may expect, increasing the chance of unsafe execution without policy enforcement.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The script advertises plan mode as "read-only" but merely forwards --plan to an external binary without enforcing filesystem, network, or command restrictions. In a coding-agent context, users may rely on this wrapper's wording for safety and unintentionally run a mode that can still perform side effects if the underlying agent interprets --plan loosely or changes behavior.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The script labels ask mode as "Q&A only" but only passes --mode=ask to the external agent binary and does not independently prevent actions. Because this skill is specifically meant to drive an AI coding agent, overstating safety properties can mislead operators into trusting a mode that may still modify files, run tools, or otherwise have side effects.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The example demonstrates `agent -p ... --force` for bug fixing and explicitly describes it as non-interactive and auto-approved, which normalizes autonomous code modification without a nearby warning about review, testing boundaries, or rollback. In a coding-agent skill, this is risky because users may copy the pattern into production workflows and allow an LLM-driven tool to make unreviewed changes to source code.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The CI/CD example combines automated review with `--trust` in a workflow, encouraging elevated trust in non-interactive automation without explaining the security implications. In CI contexts this is more dangerous because commands run unattended, often with repository access and secrets, so unsafe trust assumptions can expand the blast radius of prompt injection, bad recommendations, or unintended tool behavior.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The custom-header example embeds a bearer token directly in the command line, which can leak through shell history, process lists, CI logs, screenshots, or telemetry. In a terminal-oriented agent skill, this is a concrete credential-handling weakness because users are likely to copy-paste the example verbatim with real secrets.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README presents the default Agent mode as having full code-modifying access without a prominent warning before examples that encourage immediate use. In a terminal-integrated AI coding tool, this can normalize running a powerful agent in write-capable mode without users understanding the risk of unintended code changes, destructive commands, or unsafe automation.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation description is broad enough to match many normal development requests such as code generation, refactoring, and interactive programming. That can cause the skill to trigger in contexts where users did not specifically request Cursor Agent, unnecessarily steering workflows toward a powerful external tool with code execution features.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation normalizes dangerous options such as --force/--yolo and --trust, including CI examples that suppress safety checks in automated contexts. In a skill for an AI coding agent with tool access, presenting these modes without strong, repeated warnings makes unsafe execution materially more likely, especially in unattended or untrusted workspaces.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The help text advertises --force/--yolo as auto-approving all commands without any warning about the risk of arbitrary command execution or destructive changes. In an agent CLI wrapper, exposing a one-flag bypass of human approval materially increases the chance of unsafe autonomous actions, especially if users copy commands directly from the help output.

External Script Fetching

High
Category
Supply Chain
Content
```bash
# macOS, Linux, WSL
curl https://cursor.com/install -fsS | bash

# Windows PowerShell
irm 'https://cursor.com/install?win32=true' | iex
Confidence
98% confidence
Finding
curl https://cursor.com/install -fsS | bash

Chaining Abuse

High
Category
Tool Misuse
Content
```bash
# macOS, Linux, WSL
curl https://cursor.com/install -fsS | bash

# Windows PowerShell
irm 'https://cursor.com/install?win32=true' | iex
Confidence
97% confidence
Finding
| bash

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.