The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The documentation and installer scripts (docs/install.sh, docs/install.ps1) promote downloading and executing shell scripts via curl | bash and irm | iex from https://clawdcursor.com/install.sh. This domain and its scripts are flagged as malicious by security scanners.\n- [DATA_EXFILTRATION]: The error reporting module (src/report.ts) sends task execution summaries and redacted step logs to https://api.clawdcursor.com/reports. The destination API is flagged as malicious, posing a risk when sending desktop interaction data to an untrusted third party.\n- [EXTERNAL_DOWNLOADS]: The guide registry (src/guide-registry.ts) dynamically fetches shortcut data from an external GitHub repository (https://raw.githubusercontent.com/aschmelyun/use-the-keyboard/). This creates a runtime dependency on an unverifiable external source.\n- [COMMAND_EXECUTION]: The skill extensively uses shell command execution to perform UI automation, including subprocess.run in scripts/linux/ocr-recognize.py and persistent PowerShell processes in src/ps-runner.ts. While necessary for the tool's core purpose, these are high-risk capabilities.\n- [PROMPT_INJECTION]: The reasoning engine (src/ocr-reasoner.ts, src/a11y-reasoner.ts) ingests untrusted screen data (OCR text, accessibility nodes, and browser DOM) and feeds it into an LLM used to drive desktop actions. This architecture is vulnerable to indirect prompt injection, where malicious content displayed on screen could influence the agent to perform unauthorized actions.\n
Ingestion points: src/ocr-reasoner.ts (OCR), src/a11y-reasoner.ts (UIA), src/cdp-driver.ts (DOM)\n
Boundary markers: Absent in screen data processing\n
Capability inventory: Mouse/keyboard control, app launching, file saving, clipboard access (src/native-desktop.ts)\n
Sanitization: Redaction is present for reporting, but no filtering is applied to screen content before processing by the reasoning LLM.

clawdcursor