The Agent Skills Directory

Data Exposure & Exfiltration (MEDIUM): The skill accesses sensitive global configuration files (~/.cursor/mcp.json on macOS/Linux and %USERPROFILE%.cursor\mcp.json on Windows). These files frequently contain authentication tokens, API keys, or sensitive server arguments for MCP integrations. While the stated purpose is status checking, exposing these credentials to the agent context is a high-risk operation. The severity is downgraded from HIGH to MEDIUM as this is the primary intended function of the skill.\n- Indirect Prompt Injection (LOW): The skill is vulnerable to indirect prompt injection via untrusted project-level configuration files. (1) Ingestion points: .cursor/mcp.json at the workspace root. (2) Boundary markers: Absent; there are no instructions to ignore malicious content within the config file. (3) Capability inventory: Filesystem read and dynamic MCP tool execution. (4) Sanitization: Absent; the skill directly uses keys from the parsed JSON to determine which tools to invoke.\n- Dynamic Execution (LOW): The skill dynamically determines which MCP tools to call based on the content of external JSON files. It programmatically constructs tool calls using patterns like mcp__* and attempts to execute list or get operations. This allows a malicious configuration to influence which tools the agent triggers, though the impact is limited by the skill's focus on read-only patterns.

mcp-status