cursor-cli

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The GitHub Actions example (references/github-actions.md) explicitly checks out the repo (actions/checkout@v4) and runs agent -p "Review the diff against main..." (possibly with --force), which means the agent ingests untrusted user-provided repository/PR content from GitHub and can act on it, enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes an installer that is fetched and executed at runtime (curl https://cursor.com/install -fsS | bash and irm 'https://cursor.com/install?win32=true' | iex), so the remote URL https://cursor.com/install is used to download and run code required for the CLI in CI/workflow runs.