Skillv1.1.0

ClawScan security

Cursor Cloud Agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 1:46 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill generally matches its stated purpose (managing Cursor Cloud Agents) but has several inconsistencies and risky behaviors — notably undeclared required credentials, reliance on local CLIs, and a background watcher that embeds the API key into a spawned python -c command (exposing the key via process listings).
Guidance: This skill appears to do what it claims (wrap the Cursor Cloud Agent API) but has several practical and security issues you should consider before installing: - It requires a Cursor API key (CURSOR_API_KEY or ~/.cursor_api_key) even though the registry metadata doesn't declare this — treat the API key as sensitive. - The script spawns a detached background watcher by embedding your API key into a python -c command. That makes the key visible to other users on the same machine via process lists (ps) and is a real secret-exposure risk. Ask the author to stop embedding secrets into command-line strings; background workers should read secrets from a secure file descriptor, environment variable (carefully), or use an IPC mechanism instead. - The skill calls local CLIs ('gh' for GitHub checks and 'openclaw' for optional notifications) but doesn't declare them as required. If you run this, ensure you understand and trust those CLIs and that they are present and configured correctly. - If you don't want background processes or notifications, avoid using the features that spawn the watcher or set CURSOR_NOTIFY_TARGET. Prefer running commands without the background watcher (--no background/skip watcher) or modify the script to avoid detached subprocesses. Recommended actions before installing: 1. Confirm with the publisher (or inspect full script) that they will remove secret-in-command-line behavior. Request a secure background-watching design. 2. Treat your Cursor API key like any other secret; don't store it in world-readable locations and rotate it if you accidentally expose it. 3. If you must use the skill now, run it in an isolated environment (single-user VM/container) so other local users cannot view process command-lines. Because of the secret-exposure and metadata omissions, I rate this skill as suspicious. If the author fixes the background watcher to avoid embedding secrets into the command-line and updates metadata to declare required credentials and binaries, this would move toward benign.

Review Dimensions

Purpose & Capability: concernThe SKILL.md and script clearly implement a Cursor Cloud Agent client (api.cursor.com), which is coherent with the name. However the registry metadata declares no required credentials or binaries even though the skill needs a Cursor API key and checks GitHub permissions via the 'gh' CLI and optionally calls an 'openclaw' CLI for notifications. Those requirements are missing from the declared metadata and thus inconsistent.
Instruction Scope: concernRuntime instructions read an API key from ~/.cursor_api_key or CURSOR_API_KEY and run preflight checks (models, repositories) and may call 'gh' and spawn a background watcher that polls the Cursor API and optionally notifies Feishu via an external CLI. The watcher code is embedded and executed with python -c, which places the API key literal in the command string — this can expose secrets via process listings. The skill also instructs users to write the API key to a file, which is reasonable but increases risk if combined with the embedded-key behavior.
Install Mechanism: okThere is no install spec (instruction-only plus included script). No remote binaries are downloaded or executed at install time, so there is no high-risk install step. The included Python script will be executed at runtime.
Credentials: concernThe skill requires a Cursor API key in practice (file or CURSOR_API_KEY) and also optionally reads CURSOR_NOTIFY_TARGET, but the registry metadata lists no required environment variables or primary credential. It also relies on local tools ('gh', 'openclaw') that are not declared. Requesting an API key is proportionate for this purpose, but the omission from metadata and the presence of other opaque env controls is inconsistent and increases risk.
Persistence & Privilege: concernAlthough not marked 'always:true', the script spawns a detached background watcher process that can run for many minutes after the initial invocation. That watcher includes the API key literal inside a python -c command, persisting secret material in a process command-line and running outside the immediate agent context. This creates a persistence/secret-exposure risk beyond a simple short-lived call.