cursor
Warn
Audited by Gen Agent Trust Hub on Apr 15, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes the
agent(Cursor) CLI tool. In its "delegation" mode, it specifically instructs the agent to use flags like--trust,--force, or--yolo. These flags enable the target CLI to auto-approve and execute actions, creating a risk of unauthorized system modifications if the target agent is manipulated by malicious context. - [COMMAND_EXECUTION]: The skill constructs shell commands by interpolating user-supplied or externally-derived model names directly into the command string (e.g.,
agent -p --model <model>). This presents a risk of command injection if the model name contains shell metacharacters and the host agent does not perform strict validation. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it ingests untrusted data from the local environment and passes it to an external model. 1. Ingestion points: The skill reads local file contents and
git diffoutput to provide context to the target agent (defined inreferences/shared-procedure.md, Step 4). 2. Boundary markers: There are no explicit instructions or delimiters used to isolate untrusted context data from the agent's instructions, increasing the likelihood that the target agent follows commands embedded in the project files. 3. Capability inventory: The targetagentCLI has broad system access and, when combined with the delegation mode's auto-approval, can perform persistent changes to the system. 4. Sanitization: The skill lacks logic to sanitize or filter the gathered context data before it is processed by the target LLM.
Audit Metadata