ClawHub

Cursor CLI Agent

Security checks across malware telemetry and agentic risk

Overview

This skill transparently delegates coding work to Cursor CLI, but it encourages unattended agents that can change code and publish repository updates without strong approval boundaries.

Install only if you intentionally want OpenClaw to delegate coding work to Cursor CLI. Prefer plan or interactive modes, use isolated worktrees or temp clones, avoid `--yolo` in sensitive repositories, and manually review diffs and generated text before any commit, push, PR creation, or GitHub comment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill is described as delegating coding tasks, but this section expands into external GitHub workflows such as cloning repositories, checking out PRs, creating PRs, and posting comments. That broadens the operational scope from local code assistance to remote side effects and external service interaction, increasing the chance of unintended data disclosure or unauthorized repository actions.

Intent-Code Divergence

Medium
Confidence
80% confidence
Finding
The manifest says PR reviews should be spawned in a temporary directory, but the multi-PR review example uses `workdir:~/project` for review commands. That contradiction can lead the agent to inspect or act in the wrong repository context, mixing local state with PR review activity and undermining isolation intended by the skill description.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation recommends `--yolo` auto-execution for code changes and describes it as fast, but it does not pair that guidance with a prominent warning about destructive modifications, dependency changes, command execution, or other side effects. In a skill that delegates to an autonomous coding agent, normalizing auto-approval materially raises the risk of unsafe edits or unintended actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This example instructs the agent to 'Commit and push' changes automatically, which creates direct remote side effects on a repository. Without an explicit approval gate or warning, the skill encourages autonomous publication of code that may be incorrect, sensitive, or unauthorized, making the impact higher than local-only file changes.

Missing User Warnings

Low
Confidence
77% confidence
Finding
Automated PR commenting posts externally visible content to GitHub, which can leak internal analysis, inaccurate conclusions, or sensitive details. Although lower impact than code pushes, it still creates integrity and privacy risks when documented as an automated follow-up step without approval guidance.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal