Trust Assessment
cursor-agent received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 9 findings: 5 critical, 1 high, 3 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Arbitrary command execution, Remote code execution: curl/wget pipe to shell.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings9
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/snail3d/clawforgod/skills/cursor-agent/SKILL.md:23 | |
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/snail3d/clawforgod/skills/cursor-agent/SKILL.md:27 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/clawforgod/skills/cursor-agent/SKILL.md:11 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/snail3d/clawforgod/skills/cursor-agent/SKILL.md:11 | |
| CRITICAL | Command Injection via `tmux send-keys` The skill's recommended automation method involves using `tmux send-keys` to execute shell commands within a pseudo-terminal. Specifically, the examples `tmux send-keys -t cursor "cd /path/to/project" Enter` and `tmux send-keys -t cursor "agent 'Your task here'" Enter` demonstrate placeholders (`/path/to/project`, `'Your task here'`) that are intended to be dynamically filled by an AI agent or script. If an AI agent populates these placeholders with untrusted user input containing shell metacharacters (e.g., `;`, `&`, `|`, `$(...)`), an attacker could inject and execute arbitrary shell commands on the host system. This bypasses typical sandboxing by leveraging the interactive shell environment provided by tmux. Implement strict input validation and sanitization for any dynamic content (like file paths or task descriptions) passed to `tmux send-keys`. Ensure that shell metacharacters are escaped or disallowed. If possible, use safer APIs or methods that do not involve direct shell command construction from untrusted input. For example, if the `agent` tool supports reading tasks from a file, that would be a more secure approach than embedding the task directly into a shell command string. | LLM | SKILL.md:104 | |
| HIGH | Excessive Permissions Granted by `tmux` Automation The skill's recommended method for AI agent automation involves creating and interacting with a `tmux` session using `tmux send-keys`. This approach effectively grants the AI agent the ability to execute arbitrary shell commands within a persistent pseudo-terminal environment. While intended for running the `cursor-agent`, the underlying mechanism of `tmux send-keys` provides broad, unconstrained access to the host's shell, which is an excessive permission for an AI agent if not meticulously controlled. This increases the attack surface for command injection and unauthorized system access, as the agent can be prompted to execute any command. Re-evaluate the necessity of using `tmux send-keys` for automation. If direct shell interaction is unavoidable, ensure that the AI agent's inputs are rigorously validated and sanitized before being passed to `tmux send-keys`. Consider implementing a wrapper script that strictly controls what commands can be executed and how arguments are passed, rather than allowing the AI agent to construct arbitrary shell commands. Explore if the `cursor-agent` offers a more secure, programmatic API for automation that bypasses direct shell interaction. | LLM | SKILL.md:97 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/snail3d/clawforgod/skills/cursor-agent/SKILL.md:25 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/snail3d/clawforgod/skills/cursor-agent/SKILL.md:23 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/snail3d/clawforgod/skills/cursor-agent/SKILL.md:27 |
Scan History
Embed Code
[](https://skillshield.io/report/f51461681a2a5f93)
Powered by SkillShield