Skillv1.0.0

ClawScan security

Cursor Council · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:12 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match its stated goal (orchestrating multiple Cursor agents via tmux), but a prompt-injection indicator (unicode control characters) and aggressive prompt templates that impersonate real people make the package suspicious and worth caution before installing or running.
Guidance: This skill is coherent with its stated purpose (using tmux to run multiple Cursor agents), but exercise caution before installing or running it. Specific recommendations: - Do not run it against sensitive repositories or systems until you audit the SKILL.md and reference files yourself. The skill writes prompt files and runs agent CLI commands that will send text to external models; avoid exposing secrets. - Inspect the SKILL.md and the reference files in a text editor that can show invisible characters; remove any unexpected unicode control characters before use. - The prompt templates ask models to impersonate named real people. That may yield fabricated or misleading statements and could be legally/ethically problematic; consider replacing impersonation prompts with neutral role descriptions instead. - Avoid using --force or running tasks directly on main branches; follow the skill's own advice to use dedicated branches and test on a disposable repo or workspace first. - Ensure your 'agent' CLI is logged in to an account you control, and verify which models/transport it will use (and that you have appropriate API keys configured and scoped). The skill assumes external model access but does not manage credentials itself. - If you don't trust the unknown source (no homepage, unknown owner), prefer re-implementing the essential orchestration steps yourself from the provided templates rather than installing blindly. If you want, I can (1) show how to sanitize the prompt templates to remove impersonation and control characters, or (2) generate a minimal safe wrapper script that only launches tmux sessions without writing persona files.
Findings: [unicode-control-chars] unexpected: The scanner detected unicode control characters / prompt-injection patterns embedded in SKILL.md. This is not necessary for orchestrating tmux/agent sessions and is suspicious because such characters can alter LLM input parsing or hide malicious directives.

Review Dimensions

Purpose & Capability: okName/description (multi-agent orchestration, deliberation) align with the declared requirements: it needs tmux and an 'agent' CLI and depends on a 'cursor-agent' skill. The install entries only provide tmux via brew/apt which is proportionate.
Instruction Scope: concernSKILL.md instructs the agent to create tmux sessions, write temp prompt files, run the 'agent' CLI with --force, capture pane outputs, and synthesize results. That is within the stated purpose, but the skill includes many persona templates that instruct the models to 'be' named real individuals (Joe Armstrong, TJ Holowaychuk, Ryan Dahl, etc.) and contains detected prompt-injection patterns (unicode control characters). The presence of invisible control characters in the runtime instructions is a red flag because it can manipulate LLM parsing/behavior. Also the prompts encourage impersonation of real people, which may produce misleading or legally/ethically risky outputs.
Install Mechanism: okOnly installs are standard package-manager entries for tmux (brew/apt). No downloads from URLs or archive extraction. Low install risk.
Credentials: okThe skill requests no environment variables or credentials. It expects the 'agent' CLI to be logged in and a separate 'cursor-agent' skill to be configured, which is consistent with its function. It does not request unrelated credentials or config paths.
Persistence & Privilege: okalways is false (not force-enabled), and the skill doesn't attempt to change other skills or system-wide configs. Runtime behavior writes temporary files under /tmp and creates tmux sessions — typical for this use-case and scoped to the invoking user session.