cursor-ai

SUSPICIOUS. The skill is mostly coherent with its stated Cursor-configuration purpose and routes data to expected services, but it relies on unpinned npx-installed MCP servers and forwards sensitive tokens to third-party package code. This is better characterized as moderate supply-chain and credential-forwarding risk than clear malicious behavior.