cursor-agent
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Remote Code Execution] (CRITICAL): The skill instructs users to install the Cursor CLI using
curl https://cursor.com/install -fsS | bash. Piped execution of remote scripts from non-trusted domains is a critical security risk as the script content is not verified before execution. - [Indirect Prompt Injection] (HIGH): The skill is designed to process untrusted data (logs, screenshots, code reviews) and possesses high-privilege capabilities including file modification and command execution.
- Ingestion points: Untrusted data enters via the
-pprompt flag,@context selection, and log/screenshot analysis commands inSKILL.md. - Boundary markers: Absent. There are no instructions for delimiting or ignoring instructions embedded within the data being analyzed.
- Capability inventory: The skill facilitates arbitrary file modification, code refactoring, and automated command execution, particularly when using the
--forceflag in CI/CD environments (referenced inSKILL.md). - Sanitization: Absent. There is no evidence of input validation or sanitization before external content is processed by the agent.
- [Privilege Escalation] (HIGH): The skill documentation recommends using
sudo apt install tmuxto facilitate automation. Encouraging the use ofsudofor dependency installation increases the risk of system-level compromise if the environment is malicious. - [Persistence & System Modification] (LOW): The skill instructions include modifying shell configuration files (
~/.zshrc,~/.bashrc) to update the systemPATH. While common for developer tools, this represents a persistent modification of the user's environment.
Recommendations
- CRITICAL: Downloads and executes remote code from untrusted source(s): https://cursor.com/install - DO NOT USE
- AI detected serious security threats
Audit Metadata