The Agent Skills Directory

[Data Exposure & Exfiltration] (HIGH): The skill explicitly targets and reads sensitive files located in ~/.cursor/projects/*/agent-transcripts/*.txt and ~/Library/Application Support/Cursor/User/workspaceStorage/*/state.vscdb. These files contain private conversation history, code snippets, and workspace metadata. While this is the skill's stated purpose, it creates a high risk of accidental or malicious exposure if these details are included in public git commits.
[Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to indirect injection.
Ingestion points: Processes untrusted data from cursor-mirror transcripts, git log history, and GitHub PR descriptions via gh pr view.
Boundary markers: No explicit delimiters or sanitization logic is provided in the documentation to isolate untrusted data from the agent's instructions.
Capability inventory: Includes run_terminal_cmd, write_file, and various git operations (commit, log, blame).
Sanitization: None detected. Malicious instructions embedded in a project's transcript or a PR could influence the agent to perform unauthorized actions during the COMMIT or ARCHAEOLOGY processes.
[Command Execution] (HIGH): The skill makes extensive use of run_terminal_cmd to execute complex shell pipelines (grep, awk, sed, sort) and Git commands. The examples show direct interpolation of parameters like <pattern> and <composer> into shell strings, which is susceptible to command injection if the agent does not strictly validate these inputs.
[Dynamic Execution] (MEDIUM): The examples/shell-patterns.yml file contains several python3 -c patterns for data processing. These one-liners ingest data from stdin (which can be attacker-controlled transcripts) and process it using Python logic. While restricted to one-liners, this increases the attack surface for code injection if the input stream is not properly sanitized.

thoughtful-commitment