cursor-sdk

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). Yes — the skill explicitly instructs the SDK to clone and run against arbitrary GitHub repo URLs via cloud.repos (SKILL.md and references/runtime-choice.md) and to call external MCP HTTP servers (references/mcp.md), both of which are untrusted/user-provided third‑party content that the agent reads and acts on (e.g., triage, code review, opening PRs), enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill examples show runtime-executed external dependencies: stdio MCP servers launched via npx (e.g., @modelcontextprotocol/server-filesystem, @modelcontextprotocol/server-github) and cloud/local MCP HTTP endpoints (e.g., https://mcp.linear.app/sse, https://mcp.example.com/postgres, https://example.com/mcp) plus GitHub repo URLs cloned at cloud runtime (e.g., https://github.com/your-org/your-repo), all of which are fetched or started during agent runtime and can execute remote code or inject context that directly controls agent behavior.