cursor-codebase-indexing
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The metadata field
allowed-toolsspecifiesBash(cmd:*). This provides the AI agent with unrestricted shell access to the host system. The skill's documented purpose is to guide a user through manual Cursor IDE settings, making the inclusion of arbitrary command execution capabilities unnecessary and highly dangerous. - [PROMPT_INJECTION] (HIGH): (Category 8: Indirect Prompt Injection). This skill possesses a significant attack surface due to its interaction with untrusted codebase data.
- Ingestion points: The skill is designed to be used while 'working with cursor codebase indexing', which involves the agent reading and processing files within a project workspace (SKILL.md).
- Boundary markers: Absent. There are no instructions or delimiters provided to ensure the agent ignores natural language instructions embedded within the source code files it indexes.
- Capability inventory:
Read,Write,Edit, andBash(cmd:*). These provide full system control. - Sanitization: Absent. The skill does not implement any filtering or validation of the content it processes.
- Risk: A malicious file inside a project could contain instructions that, when 'read' by the agent, trigger the
Bashtool to exfiltrate data or modify system configurations.
Recommendations
- AI detected serious security threats
Audit Metadata