Is cursor-agent safe?

https://clawhub.ai/swiftlysingh/cursor-agent

72
CAUTION

The cursor-agent skill is a documentation-only reference guide for the Cursor CLI tool. It contains no executable code and exhibited clean clone behavior with no network activity or canary access. However, the instructional content normalizes dangerous patterns for AI agents including curl-pipe-bash remote code execution, shell config modification, sudo usage, force-mode (bypassing confirmation), and automated workspace trust via tmux — all of which an agent might execute without adequate user consent.

Category Scores

Prompt Injection 60/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (12)

HIGH Curl-pipe-bash installation pattern -20

The skill instructs the agent to execute 'curl https://cursor.com/install -fsS | bash', which downloads and immediately executes remote code. While this is the official Cursor installer, the pattern itself is inherently dangerous when injected into an agent's system prompt because the agent may execute it without user review.

MEDIUM Shell config modification instructions -10

The skill instructs the agent to modify ~/.zshrc or ~/.bashrc to add PATH entries. An agent following these instructions would alter persistent shell configuration, affecting all future terminal sessions.

MEDIUM Force mode bypasses user confirmation -5

The skill documents and encourages the --force flag which auto-applies code changes without user confirmation. An agent may invoke this on the user's codebase without explicit consent.

MEDIUM Auto-trust workspace via tmux automation -5

The tmux automation guide instructs sending 'a' to automatically trust a workspace prompt. This bypasses a security confirmation that Cursor intentionally presents to users.

MEDIUM API key stored in environment variable -12

The skill instructs setting CURSOR_API_KEY as a plain environment variable, which can be read by any process. If an agent follows this instruction, the API key is exposed to the entire process tree.

LOW External URL reference for installation -10

The skill references cursor.com for the install script. While this is the legitimate vendor URL, agents blindly fetching and executing external URLs is a risk vector.

HIGH Remote code execution via curl-pipe-bash -25

The primary installation method downloads and immediately executes a shell script from the internet. The -s flag suppresses progress output and -f fails silently on HTTP errors, making it harder to detect problems.

MEDIUM Sudo usage for package installation -10

The skill instructs the agent to use sudo for installing tmux, which would require and normalize privilege escalation.

MEDIUM Tmux session injection pattern -10

The tmux automation section teaches the agent to create sessions, send arbitrary keystrokes, and capture output. This pattern could be abused to inject commands into running terminal sessions.

LOW Normalization of dangerous agent automation patterns -45

While the skill itself is documentation-only and contains no malicious code, it normalizes a chain of dangerous patterns for AI agents: executing remote scripts, modifying dotfiles, bypassing confirmations, and automating TTY interactions. An agent trained on these patterns may apply them in other contexts.

INFO No executable code in repository 0

The skill contains only markdown documentation files and JSON metadata. There are no scripts, binaries, git hooks, npm install scripts, or symlinks. All risk comes from instructions the agent would follow, not from code that runs during installation.

INFO Clean clone behavior 0

Installation triggered no network activity, no process spawning, no filesystem changes outside the skill directory, and no firewall blocks. The skill is purely static content.