cursor
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONNO_CODE
Full Analysis
- [Data Exposure & Exfiltration] (LOW): The skill identifies the location of sensitive configuration files, specifically
~/.ssh/configand user settings. While these are documented for informational purposes regarding remote development, identifying these paths to an agent creates a target for potential credential exposure.\n- [Unverifiable Dependencies & Remote Code Execution] (LOW): The skill describes the--install-extensioncommand. This core feature allows the installation of third-party extensions, which constitutes remote code execution. This is a standard capability of the tool but remains a vector for potential abuse if the agent is directed to install malicious extensions.\n- [Indirect Prompt Injection] (LOW): The skill's primary function is opening files and folders, which creates a surface for indirect prompt injection if the files being processed contain malicious instructions for the LLM.\n - Ingestion points: Any file or directory path provided to the
cursorcommand examples, as well as stdin input usingcursor -.\n - Boundary markers: Absent. The documentation does not provide delimiters or instructions for the agent to disregard instructions contained within the files it opens.\n
- Capability inventory: Includes file system navigation, file reading, extension management, and remote workspace configuration.\n
- Sanitization: Absent. There is no mechanism described to sanitize or validate the content of files before they are loaded into the editor context.
Audit Metadata