[docs-scanner] Built-in services table incomplete - missing cursor and droid

[github-actions]

Files:

• content/manuals/ai/sandboxes/security/credentials.md
• content/manuals/ai/sandboxes/agents/cursor.md
• content/manuals/ai/sandboxes/agents/droid.md

Issue

The "Built-in services" table in credentials.md is incomplete. It lists services like anthropic, openai, github, google, groq, mistral, nebius, aws, and xai, but omits cursor and droid which are documented in their respective agent pages as using the same sbx secret set -g <service> pattern.

From credentials.md:

Built-in services

Each built-in service name maps to a set of environment variables the proxy checks and the API domains it authenticates requests to:

Service	Environment variables	API domains
anthropic	ANTHROPIC_API_KEY	api.anthropic.com
aws	AWS_ACCESS_KEY_ID	AWS Bedrock endpoints
github	GH_TOKEN, GITHUB_TOKEN	api.github.com, github.com
google	GEMINI_API_KEY, GOOGLE_API_KEY	generativelanguage.googleapis.com
groq	GROQ_API_KEY	api.groq.com
mistral	MISTRAL_API_KEY	api.mistral.ai
nebius	NEBIUS_API_KEY	api.studio.nebius.ai
openai	OPENAI_API_KEY	api.openai.com
xai	XAI_API_KEY	api.x.ai

But from cursor.md:

API key: Store your Cursor API key using stored secrets:

$ sbx secret set -g cursor

Alternatively, export the CURSOR_API_KEY environment variable in your shell before running the sandbox.

And from droid.md:

API key: Store your Factory API key using stored secrets:

$ sbx secret set -g droid

Alternatively, export the FACTORY_API_KEY environment variable in your shell before running the sandbox.

Why this matters

Users following the agent-specific documentation will use sbx secret set -g cursor and sbx secret set -g droid, but when they consult the credentials.md reference to understand how the credential system works, they won't find these services documented in the "Built-in services" table.

This creates confusion about:

• Whether cursor and droid are actually built-in services or kit-declared services
• What environment variables and API domains these services use
• Whether the table is comprehensive or just a partial list

The table's introductory text ("Each built-in service name maps to...") implies completeness, but the omissions suggest otherwise.

Suggested fix

Add cursor and droid to the built-in services table with their corresponding environment variables and API domains:

Service	Environment variables	API domains
cursor	CURSOR_API_KEY	api2.cursor.sh
droid	FACTORY_API_KEY	(Factory API endpoints)

If these are actually kit-declared services rather than built-in services, clarify this distinction in both the credentials.md file and the agent pages, and explain why they use the same sbx secret set pattern as built-in services.

---

Found by nightly documentation quality scanner