cursor-docs

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This content is not itself malware but exposes multiple high-risk, easily-abusable capabilities (project/user/team hooks that auto-run arbitrary scripts from repos or centrally-distributed config; Cloud Agents with internet access, stored secrets, and auto-run commands plus team follow-up/lateral-movement risk; CLI/CI examples running agent with CURSOR_API_KEY and GH_TOKEN and --force to push/modify repos; Agent Skills/subagents and scripts that execute code; MCP install links with base64-encoded commands; and telemetry hooks that can post conversation/state) — together these provide clear vectors for data exfiltration, credential theft, remote code execution, supply‑chain/backdoor insertion, and privilege escalation if an attacker or a malicious commit/configuration abuses them.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs scraping documentation from llms.txt sources (e.g., "Scrape All Documentation" / https://cursor.com/llms.txt in SKILL.md) and includes a Browser tool that can "navigate anywhere on the web" (canonical/agent/browser.md), so the agent fetches and ingests public web content that it is expected to read and act on, exposing it to untrusted third‑party content and potential indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly scrapes runtime documentation from https://cursor.com/llms.txt (and the URLs it lists) via scripts (e.g., scrape_docs.py), and that fetched markdown is injected into the index/model context used to answer queries—so remote content at that URL is fetched at runtime and can directly influence agent prompts/responses.