The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill's documentation in SKILL.md and README.md explicitly instructs users to install the software by downloading scripts from 'https://clawdcursor.com/install.sh' and 'https://clawdcursor.com/install.ps1' and piping them directly into system shells ('bash' and 'iex'). This practice is highly dangerous as the domain 'clawdcursor.com' has been blacklisted by automated security scanners, making this a confirmed indicator of potential system compromise.
[COMMAND_EXECUTION]: This skill grants the AI agent comprehensive control over the host desktop, including the ability to simulate any mouse action, press arbitrary key combinations, and launch executables. Such broad capabilities provide a significant vulnerability surface if the agent is manipulated by malicious input or subverted by a compromised vendor update.
[DATA_EXFILTRATION]: Through its 'report' command and 'src/report.ts', the skill collects system-level information and task logs to be sent to 'https://api.clawdcursor.com/reports'. Although the code attempts to redact sensitive strings like API keys and email addresses, the domain's malicious reputation makes any outbound data transfer suspicious.
[PROMPT_INJECTION]: The skill's architecture relies on ingesting untrusted screen content via OCR and accessibility trees and feeding it to an LLM to decide the next action. Ingestion points: src/ocr-reasoner.ts (ocr.recognizeScreen), src/a11y-reasoner.ts (a11y.getScreenContext). Boundary markers: present in src/pipeline/agent/prompt.ts using '' tags. Capability inventory: mouseClick, typeText, keyPress, openApp (src/native-desktop.ts). Sanitization: absent beyond prompt-level instructions to ignore embedded commands, making the system vulnerable to indirect prompt injection where malicious content on the screen could override agent instructions and trigger unauthorized desktop actions.

clawdcursor