ClawHub

Cursor CLI

Security checks across malware telemetry and agentic risk

Overview

The plugin is transparent about being a Cursor Agent bridge, but its default mode can let Cursor Agent edit files or run shell commands without per-action approval.

Install this only if you intend to delegate model calls to Cursor Agent. For safest provider-only use, configure mode:"ask" and allowTools:false before using it; enable sandboxing or plan mode for less-trusted workspaces, verify the active Cursor account, and start fresh sessions for sensitive tasks.

VirusTotal

62/62 vendors flagged this plugin as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
High
What this means

If used in full-agent mode, Cursor Agent may modify files or run shell-capable actions in the workspace without asking for each action.

Why it was flagged

The plugin’s default invocation enables Cursor Agent trust/force behavior unless the user opts out, which can allow non-interactive tool actions through the local Cursor Agent.

Skill content
const allowTools = pluginConfig?.allowTools !== false; // default true
if (allowTools) {
  args.push("--force", "--trust");
}
Recommendation

Use mode:"ask" with allowTools:false for pure model-provider use, or mode:"plan"/sandbox:"enabled" for untrusted workspaces. Use the default full-agent profile only in workspaces you trust.

#
ASI03: Identity and Privilege Abuse
Low
What this means

Requests may use the Cursor account already logged in on the machine and consume that account’s subscription quota.

Why it was flagged

The plugin delegates calls to the locally authenticated Cursor account, so usage occurs under that account and billing/quota context.

Skill content
Model calls run under your **local `cursor-agent` login** and consume your **Cursor subscription quota**.
Recommendation

Run cursor-agent status before use and confirm it shows the intended Cursor account.

#
ASI06: Memory and Context Poisoning
Low
What this means

Sensitive context from one task could remain available in a resumed session if the same channel/session is reused.

Why it was flagged

The skill intentionally resumes Cursor Agent sessions, which can carry prior conversation context into later turns in the same channel.

Skill content
Session resume is enabled so multi-turn conversations work. If you switch between sensitive and non-sensitive tasks in the same channel, start a fresh OpenClaw conversation/session for the sensitive one.
Recommendation

Start a fresh OpenClaw conversation/session for sensitive work or when switching between unrelated trust contexts.

#
ASI08: Cascading Failures
Low
What this means

Running the refresh command changes local OpenClaw model configuration and may make new Cursor-backed models available to agents.

Why it was flagged

The refresh workflow intentionally changes OpenClaw configuration and the default model allowlist, so a bad or unintended refresh can affect later model selection.

Skill content
Persist the catalog to `models.providers.cursor-cli` ... Merge each `cursor-cli/<family>` into `agents.defaults.models` ... Only **adds** missing entries
Recommendation

Run refresh only from the trusted installed plugin, review the resulting OpenClaw config if needed, and keep backups if model allowlists are security-sensitive.