ClawHub

Cursor Cloud Agents

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Cursor Cloud Agents wrapper with real account and repository impact, but the sensitive behavior is aligned with its stated purpose.

Install only if you intend to let Cursor cloud agents operate on selected GitHub repositories using your Cursor account. Prefer setting CURSOR_API_KEY explicitly or in a dedicated protected file, restrict env-file permissions, avoid sensitive prompts unless approved for Cursor cloud processing, review generated PRs before merging, confirm agent IDs before deletion, and clear ~/.cache/cursor-api/ on shared machines.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Low
Confidence
92% confidence
Finding
The script automatically harvests CURSOR_API_KEY from multiple local files, including the current directory's .env and unrelated user config paths, instead of requiring explicit user-provided credentials. In an agent/deployment context this broad credential discovery can unintentionally consume secrets from the host environment and then use them to access remote services, expanding trust boundaries beyond the skill's stated purpose.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The documented `cursor-api.sh delete <agent-id>` operation permanently deletes agents and conversation history, but the guidance lacks a warning, confirmation step, or recovery caveat. In practice this increases the chance of accidental destructive actions, especially when the command is copied into loops or automation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation exposes a permanent delete operation for agents and conversation history without any warning about irreversible data loss or safeguards such as confirmation, soft-delete, or recovery limits. In a skill that automates agent lifecycle actions against repositories, this increases the chance of accidental or scripted destructive use by operators or downstream automation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The webhook section documents sending agent event data to arbitrary external URLs but does not warn that prompts, repository metadata, PR links, or other agent-generated content may be transmitted off-platform. In this skill's context, agents operate on code repositories, so webhook delivery can leak sensitive development data to untrusted endpoints if misconfigured.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Background task metadata persists the full prompt to disk in JSON under the cache directory, and logs are also written locally without a prominent warning. Prompts often contain proprietary code instructions, secrets, incident details, or internal repo information, so storing them unencrypted on disk creates avoidable local data exposure to other processes or users with filesystem access.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
Permanently deletes an agent and its conversation history.

```http
DELETE /agents/:id
```

**Response:**
Confidence
90% confidence
Finding
DELETE /agents/:id

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal