Cursor Rules
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent instruction-only Cursor IDE guide; it discusses powerful Agent and MCP features but does not include code, hidden installation, or undisclosed behavior.
This skill appears safe to install as an instruction-only guide. Before applying its Cursor recommendations, review generated diffs, avoid no-confirmation yolo mode on sensitive work, scope MCP filesystem paths narrowly, and use limited GitHub tokens.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user enables these Cursor features, the IDE agent could make file changes or run commands with less review, especially in yolo mode.
The skill teaches a Cursor mode that can edit files and run terminal commands, and mentions a no-confirmation mode. This is disclosed and relevant to Cursor usage, but it is powerful behavior users should control.
Agent 模式:自主执行多步任务(创建文件、运行命令、修复错误) ... 支持 yolo 模式(自动执行命令不需确认,需在设置中开启)
Keep command confirmations enabled unless you fully trust the task, review diffs before accepting them, and avoid using yolo mode on important or sensitive projects.
A real GitHub token could allow the connected MCP server or Cursor agent to access repositories according to that token's permissions.
The MCP GitHub example uses a GitHub token. That is expected for GitHub integration, but it grants delegated account access if configured with a real token.
"github": { "command": "npx", "args": ["-y", "@modelcontextprotocol/server-github"], "env": { "GITHUB_TOKEN": "ghp_xxx" } }Use least-privilege tokens, avoid broad account scopes, rotate tokens if exposed, and do not place real secrets in shared project files.
Poorly written or untrusted rules could steer Cursor's AI behavior in later tasks or across projects.
The skill describes persistent Cursor rules that can be applied across projects or always included in context. This is the intended feature, but persistent instructions can influence future agent behavior.
在 Settings → General → Rules for AI 中添加全局指令,适用于所有项目 ... `alwaysApply: true` — 始终包含在上下文中
Only add rules you trust, review global rules periodically, and keep project-specific instructions scoped to the relevant repository.