cursor-docs
Warn
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [DYNAMIC_EXECUTION]: The skill implements a 'Development Mode' via the
CURSOR_DOCS_DEV_ROOTenvironment variable inscripts/utils/dev_mode.pyandscripts/bootstrap.py. This mechanism allows the agent to redirect all script execution and configuration paths to an arbitrary directory, effectively allowing the execution of logic from a computed path. - [REMOTE_CODE_EXECUTION]: The
scripts/utils/script_utils.pyfile contains anensure_yaml_installedfunction that executespip install pyyamlusingsubprocess.check_call. While targeting a specific package, this pattern of automatic package installation at runtime is a risk factor for dependency-based attacks. - [COMMAND_EXECUTION]: The skill makes extensive use of
subprocess.runandsubprocess.check_callacross several files, includingscripts/management/refresh_index.py,cursor_docs_api.py, andscripts/utils/script_utils.py. These scripts execute shell commands to orchestrate index rebuilding, metadata extraction, and report generation. - [EXTERNAL_DOWNLOADS]: The
scripts/core/scrape_docs.pyscript is designed to fetch documentation from external URLs, specifically targetinghttps://cursor.com/llms.txt. While this matches the skill's primary purpose, it establishes a functional path for downloading external content. - [PROMPT_INJECTION]: The
SKILL.mdfile contains instructions using high-priority markers such as 'CRITICAL: Path Doubling Prevention - MANDATORY' and 'ABSOLUTE PROHIBITION'. These attempt to strictly override agent behavior regarding command chaining and file access.
- [INDIRECT_PROMPT_INJECTION]: A significant attack surface for indirect prompt injection exists because the skill ingests untrusted data from external websites via scraping (
scripts/core/scrape_docs.py) and possesses high-privilege capabilities including filesystem writes and shell execution. An attacker controlling a documentation source could embed instructions designed to manipulate the agent during the scraping or indexing phase. - Ingestion points:
scripts/core/scrape_docs.pyfetches content from external URLs. - Boundary markers: Absent; the scraped content is processed and stored without explicit delimiters or 'ignore' warnings for the processing agent.
- Capability inventory: Subprocess execution, filesystem writes, and network access via
requestsare present. - Sanitization: Content is converted from HTML to Markdown, but no safety-specific sanitization against prompt injection is implemented.
Audit Metadata