Cursor CLI Agent
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Cursor could make or apply project changes in an automated session after trusting a workspace, including in repositories the user has not reviewed carefully.
The skill documents no-confirm code modification and also shows an automation flow that sends a key to accept the workspace trust prompt, reducing the chance of human review before a code-editing agent acts.
**Force mode (auto-apply changes without confirmation):** ... `agent -p 'Fix all linting errors' --force` ... `tmux send-keys -t cursor "a" # Trust workspace`
Avoid `--force` and scripted trust acceptance unless the repository is known and trusted. Prefer interactive review, require explicit user approval before edits, and use version control/rollback.
A background Cursor session may keep running or retain access to the project/session longer than the user expects.
The workflow starts the Cursor agent in a detached persistent tmux session, but the visible instructions do not include a bounded runtime, cleanup step, or explicit stop condition.
`tmux new-session -d -s cursor` ... `tmux send-keys -t cursor "agent 'Your task here'" Enter` ... `tmux provides a persistent pseudo-terminal (PTY)`
Add explicit timeouts, stop conditions, and cleanup such as `tmux kill-session -t cursor` after completion. Monitor captured output before accepting any changes.
Installing through a remote script gives that installer control over the local environment during setup.
The recommended installation path runs a remote shell installer. This is common for CLI setup and aligned with the skill purpose, but it depends on trusting the remote vendor script.
`curl https://cursor.com/install -fsS | bash`
Verify the URL, prefer a trusted package manager where possible, and review vendor installation guidance before running the command.
The CLI will operate with the user's Cursor account or API key, which may affect usage, billing, and access to connected resources.
The skill documents Cursor account login or API-key authentication. This is expected for a Cursor CLI integration, with no artifact evidence of credential leakage.
`agent login` ... `export CURSOR_API_KEY=your_api_key_here`
Use least-privilege credentials where available, avoid committing API keys, and revoke or rotate keys that are no longer needed.
Instructions inside a repository could steer the coding agent in ways the user did not intend.
Local project rule files can influence the Cursor agent's behavior. This is normal for coding-agent workflows, but it matters when working in untrusted repositories.
The agent automatically loads rules from: `.cursor/rules`, `AGENTS.md`, `CLAUDE.md`
Review local rule/instruction files before trusting a workspace or running automated Cursor sessions.
A project or environment MCP configuration could connect the agent to tools or data sources the user did not expect.
MCP servers can extend the agent with additional tools or data connections. The behavior is disclosed and purpose-aligned, but the artifact does not define which servers or permissions are safe.
MCP servers are automatically loaded from `mcp.json` configuration.
Inspect `mcp.json` before use, disable unknown MCP servers, and only enable servers from trusted sources.