Agent skill

call-cursor

Invoke the Cursor CLI for security-focused plan validation and code review.

View SKILL.md on GitHub Repository
Stars 163
Forks 31

Install this agent skill to your Project

npx add-skill https://github.com/majiayu000/claude-skill-registry/tree/main/skills/data/call-cursor

SKILL.md

Call Cursor Skill

Wrapper for invoking Cursor agent via CLI for code review and security analysis.

Overview

Cursor is specialized for:

  • Security vulnerability detection
  • Code quality assessment
  • OWASP Top 10 compliance
  • Best practices enforcement

Prerequisites

  • cursor-agent CLI installed and accessible on PATH.

Expertise Weights

Area Weight Description
Security 0.8 SQL injection, XSS, auth issues
Code Quality 0.7 Style, maintainability, clarity
Testing 0.7 Coverage, test quality

Usage

/call-cursor

CLI Invocation

bash
cursor-agent --print --output-format json "<prompt>"

Flags

Flag Purpose
--print Non-interactive mode (required)
--output-format json Return structured JSON
--force Skip confirmations (optional)

IMPORTANT: The prompt is a POSITIONAL argument at the END, not a flag.

Standard Prompts

Plan Validation (Phase 2)

bash
cursor-agent --print --output-format json "
You are reviewing an implementation plan for security and code quality.

Read the plan JSON provided by the orchestrator (phase_outputs export).

Evaluate for:
1. Security vulnerabilities in proposed changes
2. Potential for injection attacks (SQL, XSS, command)
3. Authentication/authorization concerns
4. Input validation gaps
5. Secure coding practices
6. Test coverage for security scenarios

Return your assessment as JSON:
{
  \"agent\": \"cursor\",
  \"phase\": \"validation\",
  \"approved\": true|false,
  \"score\": 1-10,
  \"assessment\": \"Brief summary of your review\",
  \"concerns\": [
    {
      \"area\": \"security|quality|testing\",
      \"severity\": \"high|medium|low\",
      \"description\": \"Specific concern\",
      \"recommendation\": \"How to address it\"
    }
  ],
  \"blocking_issues\": [\"List of issues that MUST be fixed before proceeding\"],
  \"strengths\": [\"Positive aspects of the plan\"]
}

Be thorough but fair. Only mark as blocking if it's a genuine security risk.
"

Code Review (Phase 4)

bash
cursor-agent --print --output-format json "
You are performing a security-focused code review of recently implemented changes.

Review the implementation for:
1. OWASP Top 10 vulnerabilities
2. Injection flaws (SQL, NoSQL, OS command, LDAP)
3. Broken authentication/session management
4. Sensitive data exposure
5. XML external entities (XXE)
6. Broken access control
7. Security misconfiguration
8. Cross-site scripting (XSS)
9. Insecure deserialization
10. Using components with known vulnerabilities

Also check:
- Input validation on all external data
- Output encoding
- Error handling (no sensitive info leaked)
- Logging (security events captured)
- Test coverage for security scenarios

Return your assessment as JSON:
{
  \"agent\": \"cursor\",
  \"phase\": \"verification\",
  \"approved\": true|false,
  \"score\": 1-10,
  \"assessment\": \"Brief summary of code review\",
  \"issues\": [
    {
      \"file\": \"path/to/file.py\",
      \"line\": 42,
      \"severity\": \"critical|high|medium|low\",
      \"category\": \"OWASP category or quality issue\",
      \"description\": \"What's wrong\",
      \"recommendation\": \"How to fix it\"
    }
  ],
  \"blocking_issues\": [\"Critical security issues that MUST be fixed\"],
  \"passed_checks\": [\"Security checks that passed\"]
}

Be thorough. Security issues are blocking by default.
"

Outputs

  • JSON review payload for validation or verification phases.

Output Parsing

Cursor returns JSON. Parse with:

python
import json
result = json.loads(cursor_output)
approved = result.get("approved", False)
score = result.get("score", 0)
blocking = result.get("blocking_issues", [])

Error Handling

Timeout

  • Default timeout: 300 seconds
  • On timeout: Retry once with 600 seconds
  • If still fails: Log and continue with warning

Parse Error

  • If output is not valid JSON: Extract any JSON block from output
  • If no JSON found: Treat as failure, request human review

Agent Unavailable

  • If cursor-agent not installed: Skip with warning
  • Log to state.errors
  • Continue workflow (Gemini alone is not sufficient for security)

Integration with Workflow

  1. Phase 2 (Validation):

    • Run in parallel with Gemini
    • Store output in phase_outputs as cursor_feedback
    • Weight: 0.8 for security concerns

  2. Phase 4 (Verification):

    • Run in parallel with Gemini
    • Store output in phase_outputs as cursor_review

Examples

bash
cursor-agent --print --output-format json "Review the plan JSON provided in this prompt."

Related Skills

  • /validate - Plan validation workflow
  • /verify - Code review workflow
  • /resolve-conflict - Merge Cursor and Gemini feedback
    • Must approve for workflow to complete

Approval Thresholds

Phase Min Score Blocking Issues
Validation 6.0 None allowed
Verification 7.0 None allowed

Example Usage

bash
# From project directory
cd projects/my-app

# Run validation
cursor-agent --print --output-format json "Review the plan JSON provided in this prompt for security..." > cursor-feedback.json

# Check result
cat cursor-feedback.json | jq '.approved, .score'

Conflict Resolution

When Cursor disagrees with Gemini:

Issue Type Resolution
Security concern Cursor wins (weight 0.8)
Architecture concern Gemini wins (weight 0.7)
Code quality Average scores
Both blocking Human escalation

Didn't find tool you were looking for?

Be as detailed as possible for better results