ClawHub

cursor-doctor

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Cursor troubleshooting tool, but its repair commands can close Cursor and change Cursor-related local cache or settings.

Install only from the verified GitHub source or another trusted package source. Run diagnose first, save work before using any fix command, and treat category-specific fixes as state-changing because they may close Cursor, delete Cursor cache/MCP data, or reset Cursor settings. Review diagnostic output before sharing it because logs can reveal local paths, prompts, endpoints, or other sensitive context.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises and operationally implies use of a CLI tool that performs diagnosis and auto-fix actions, which reasonably entails shell execution plus reading environment/configuration files and potentially writing fixes, yet it declares no permissions. This creates a transparency and consent gap: an agent or user may invoke a skill with broader host access than expected, increasing the risk of unsafe file/system changes or leakage of local configuration data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README advertises repair actions such as killing Cursor processes and clearing caches, but does not prominently warn that these actions are destructive and may interrupt active work, remove state, or discard diagnostic artifacts. In a troubleshooting tool, users are especially likely to run copy-pasted commands quickly, so missing warnings materially increases the risk of accidental data loss or disruption.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documented config reset action says it will back up and reset settings.json to defaults, but the README lacks a prominent warning that user configuration will be modified and may be overwritten, lost, or only partially recoverable. Because this is a repair tool for IDE issues, users under pressure may invoke reset commands without appreciating that personalized settings, proxies, extensions, or environment-related fixes could be undone.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The function recursively reads Cursor log files, which can contain prompts, file paths, tokens, endpoints, stack traces, and other sensitive user or workspace data, without any visible consent, minimization, or warning in the code. In an agent skill context, silent collection of logs is more sensitive because the data may later be surfaced, transmitted, or stored by higher-level tooling.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
This routine collects environment details such as shell, proxy presence, memory, disk, and installed tool versions without any explicit disclosure or consent mechanism. While useful for diagnostics, these details can reveal enterprise network configuration, operational posture, and host characteristics that increase privacy and reconnaissance risk if exposed beyond the local user.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The repair functions delete caches and terminate Cursor processes immediately, without any user confirmation in the implementation path shown here. In an agent skill context, automatically performing destructive local actions can cause loss of unsaved work, wipe useful state, and make abuse easier if these functions are triggered unexpectedly or by a misdiagnosis.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal