ClawHub

Cursor Cloud Agent

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it says, but it also starts an under-disclosed background watcher with a Cursor API key and can send task details to Feishu.

Install only if you are comfortable giving this skill a Cursor API key with access to your authorized repositories. Before using create, confirm the repo, branch, prompt, and auto-PR setting; consider using --no-direct for tasks needing human review. Avoid configuring CURSOR_NOTIFY_TARGET or --notify unless you intend Cursor task details and possible conversation excerpts to be sent to Feishu. On shared machines, be aware that the background watcher may expose the API key through process inspection while it runs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
pass
    """)

    subprocess.Popen(
        [sys.executable, "-c", watcher_code],
        stdout=subprocess.DEVNULL,
        stderr=subprocess.DEVNULL,
Confidence
91% confidence
Finding
subprocess.Popen( [sys.executable, "-c", watcher_code], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, start_new_session=True, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"--message", message,
    ]
    try:
        result = subprocess.run(cmd, timeout=30, capture_output=True, text=True)
        return result.returncode == 0
    except Exception:
        return False
Confidence
89% confidence
Finding
result = subprocess.run(cmd, timeout=30, capture_output=True, text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises and documents capabilities that require environment access, network communication, and shell execution, yet it does not declare permissions. This undermines least-privilege controls and prevents users or the platform from accurately assessing what the skill can do before use.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose omits materially significant behaviors: detached background polling, external notifications, browser launching, additional credential sources, and GitHub CLI inspection. Hidden or under-disclosed behaviors increase the risk of unintended data exposure, persistence, and side effects beyond the user's expected workflow.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill adds Feishu notification capability by invoking the local openclaw CLI, which is outside the core declared purpose of managing Cursor agents and is not disclosed in the metadata. This broadens the trust boundary and introduces a third-party transmission channel for task details without clear user awareness.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The detached background watcher introduces persistence-like behavior and additional local subprocess execution beyond basic API management. Because it continues running after the main command exits and can later send notifications containing agent output, it creates hidden behavior that users may not expect from a simple CLI wrapper.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation instructs users to place a live API key into a shell command and store it locally, but it does not warn about common secret-handling risks such as shell history capture, accidental inclusion in synced dotfiles, or exposure through backups and screen sharing. In a skill specifically meant to manage cloud agents with repository access, this omission increases the chance of credential compromise and downstream unauthorized agent or repository actions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
On failure or stop, the background watcher fetches the agent conversation and forwards up to 200 characters of the last message to Feishu. Agent conversations can contain code, secrets, proprietary repository details, or user instructions, so this creates an explicit exfiltration channel to an unrelated external system without a prominent warning or consent gate.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
| Command | Description |
|---------|-------------|
| `create` | Launch a new Cloud Agent (`--wait` to block until done, `--no-direct` to skip auto-execute hint) |
| `list` | List recent agents (filter by PR URL, limit) |
| `get` | Get agent details (status, summary, PR info) |
| `check` | Poll agent until finished, print final summary |
Confidence
87% confidence
Finding
auto-execute

Session Persistence

Medium
Category
Rogue Agent
Content
### Phase 2: Execute

5. Run `create --wait --auto-pr` with the confirmed repo and prompt
6. The script auto-appends a "execute directly" instruction to prevent agent from asking for confirmation (use `--no-direct` to disable)
7. `--wait` blocks until agent finishes and prints a full summary including conversation excerpt
Confidence
76% confidence
Finding
create --wait --auto-pr` with the confirmed repo and prompt 6. The script auto-appends a "execute directly" instruction to prevent agent from asking for confirmation (use `--no-direct` to disable) 7.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal