Security Audit

cursor

github.com/Mrc220/agent_flywheel_clawdbot_skills_and_integrations

AI SkillCommit c7bd8e0f6900

CRITICAL

Scanned 9 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

cursor received a trust score of 20/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 6 findings: 2 critical, 3 high, 1 medium, and 0 low severity. Key findings include File read + network send exfiltration, Sensitive path access: SSH key/config, Arbitrary File/Folder Access via `cursor` CLI.

The analysis covered 4 layers: dependency_graph, manifest_analysis, llm_behavioral_safety, static_code_analysis. The llm_behavioral_safety layer scored lowest at 33/100, indicating areas for improvement.

Last analyzed on February 11, 2026 (commit c7bd8e0f). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

70%

Static Code Analysis

85%

Dependency Graph

100%

LLM Behavioral Safety

33%

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

5 findings

Shell Execution

4 findings

Excessive Permissions

4 findings

Security Findings6

Severity	Finding	Layer	Location
CRITICAL	File read + network send exfiltration SSH key/config file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-xq4680wk/repo/skills/cursor/SKILL.md:181
CRITICAL	Malicious Extension Installation via `cursor` CLI The `cursor --install-extension <extension-id>` command allows installing extensions by ID. If an AI agent is given untrusted input for the extension ID, it could be coerced into installing a malicious extension from the marketplace or a custom source. This could lead to arbitrary code execution, data exfiltration, or system compromise within the `cursor` environment and potentially the host system. Implement strict input validation and sanitization for extension IDs. Consider using an allowlist of approved extensions or disabling the agent's ability to install extensions entirely. If installation is necessary, require human approval for new extensions and ensure extensions are vetted.	Unknown	SKILL.md:72
HIGH	Sensitive path access: SSH key/config Access to SSH key/config path detected: '~/.ssh/config'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-xq4680wk/repo/skills/cursor/SKILL.md:181
HIGH	Arbitrary File/Folder Access via `cursor` CLI The `cursor` CLI allows opening arbitrary files and folders by path (e.g., `cursor /path/to/file.ts`, `cursor /path/to/project`). If an AI agent is given untrusted input for file or folder paths, it could be coerced into accessing sensitive system files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) or directories. While opening doesn't directly exfiltrate, it grants the agent access to the content, which it could then potentially relay back to the user or another tool, leading to data exfiltration or unauthorized access. Implement strict input validation and sanitization for all file and folder paths passed to the `cursor` CLI. Restrict the agent's ability to specify arbitrary paths, perhaps by confining operations to a specific project directory or using an allowlist for file types/locations. Ensure the agent's execution environment is sandboxed.	Unknown	SKILL.md:17
HIGH	Arbitrary Data/Extensions Directory Specification The `cursor --user-data-dir` and `cursor --extensions-dir` commands allow specifying arbitrary directories for user data and extensions. If an AI agent is given untrusted input for these paths, it could be coerced into reading from or writing to sensitive system locations, potentially leading to data corruption, privilege escalation, or data exfiltration. Implement strict input validation and sanitization for these directory paths. Restrict the agent's ability to specify arbitrary directories, confining operations to a secure, sandboxed location. Ensure the agent's execution environment has appropriate file system permissions.	Unknown	SKILL.md:87
MEDIUM	Arbitrary Content Opening via Piped Input The `echo "..." \| cursor -` command allows piping arbitrary content to `cursor` to be opened as a new file. If an AI agent is given untrusted input for the piped content, it could be coerced into opening and displaying sensitive information or potentially triggering editor-specific vulnerabilities if the content is crafted maliciously (e.g., a specially crafted file that exploits a parsing bug in Cursor). Implement strict input validation and sanitization for content piped to `cursor -`. Consider restricting the agent's ability to use this feature with untrusted input, or ensure the editor operates in a sandboxed environment where opening malicious content cannot affect the host system.	Unknown	SKILL.md:97

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/46165d4bcf16958e.svg)](https://skillshield.io/report/46165d4bcf16958e)