clawdcursor

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). The set is suspicious: https://clawdcursor.com/install.sh is a direct shell installer on a non‑well‑known domain (curl | bash style installs are high‑risk for malware), while http://127.0.0.1:3847 is a local service endpoint (not an external download), https://example.com is benign placeholder, and https:// is malformed — but the presence of the direct .sh from an untrusted domain makes this collection high risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly drives and reads arbitrary public web pages as part of its core workflow (e.g., SKILL.md examples and tool docs showing window({"action":"navigate","url":"https://..."}) and browser({"action":"read_text"}) / browser CDP actions), meaning it ingests untrusted third‑party page content that can directly influence subsequent tool calls and decisions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.60). The skill gives an agent full desktop and OS-level control (open apps, run local commands, relaunch processes, start a local server without asking) and can perform state-changing actions on the host, though it does not explicitly instruct obtaining sudo, editing privileged system files, or creating user accounts and includes some safety gates.