Call Cursor Skill
Wrapper for invoking Cursor agent via CLI for code review and security analysis.
Overview
Cursor is specialized for:
- •Security vulnerability detection
- •Code quality assessment
- •OWASP Top 10 compliance
- •Best practices enforcement
Prerequisites
- •
cursor-agentCLI installed and accessible on PATH.
Expertise Weights
| Area | Weight | Description |
|---|---|---|
| Security | 0.8 | SQL injection, XSS, auth issues |
| Code Quality | 0.7 | Style, maintainability, clarity |
| Testing | 0.7 | Coverage, test quality |
Usage
code
/call-cursor
CLI Invocation
bash
cursor-agent --print --output-format json "<prompt>"
Flags
| Flag | Purpose |
|---|---|
--print | Non-interactive mode (required) |
--output-format json | Return structured JSON |
--force | Skip confirmations (optional) |
IMPORTANT: The prompt is a POSITIONAL argument at the END, not a flag.
Standard Prompts
Plan Validation (Phase 2)
bash
cursor-agent --print --output-format json "
You are reviewing an implementation plan for security and code quality.
Read the plan JSON provided by the orchestrator (phase_outputs export).
Evaluate for:
1. Security vulnerabilities in proposed changes
2. Potential for injection attacks (SQL, XSS, command)
3. Authentication/authorization concerns
4. Input validation gaps
5. Secure coding practices
6. Test coverage for security scenarios
Return your assessment as JSON:
{
\"agent\": \"cursor\",
\"phase\": \"validation\",
\"approved\": true|false,
\"score\": 1-10,
\"assessment\": \"Brief summary of your review\",
\"concerns\": [
{
\"area\": \"security|quality|testing\",
\"severity\": \"high|medium|low\",
\"description\": \"Specific concern\",
\"recommendation\": \"How to address it\"
}
],
\"blocking_issues\": [\"List of issues that MUST be fixed before proceeding\"],
\"strengths\": [\"Positive aspects of the plan\"]
}
Be thorough but fair. Only mark as blocking if it's a genuine security risk.
"
Code Review (Phase 4)
bash
cursor-agent --print --output-format json "
You are performing a security-focused code review of recently implemented changes.
Review the implementation for:
1. OWASP Top 10 vulnerabilities
2. Injection flaws (SQL, NoSQL, OS command, LDAP)
3. Broken authentication/session management
4. Sensitive data exposure
5. XML external entities (XXE)
6. Broken access control
7. Security misconfiguration
8. Cross-site scripting (XSS)
9. Insecure deserialization
10. Using components with known vulnerabilities
Also check:
- Input validation on all external data
- Output encoding
- Error handling (no sensitive info leaked)
- Logging (security events captured)
- Test coverage for security scenarios
Return your assessment as JSON:
{
\"agent\": \"cursor\",
\"phase\": \"verification\",
\"approved\": true|false,
\"score\": 1-10,
\"assessment\": \"Brief summary of code review\",
\"issues\": [
{
\"file\": \"path/to/file.py\",
\"line\": 42,
\"severity\": \"critical|high|medium|low\",
\"category\": \"OWASP category or quality issue\",
\"description\": \"What's wrong\",
\"recommendation\": \"How to fix it\"
}
],
\"blocking_issues\": [\"Critical security issues that MUST be fixed\"],
\"passed_checks\": [\"Security checks that passed\"]
}
Be thorough. Security issues are blocking by default.
"
Outputs
- •JSON review payload for validation or verification phases.
Output Parsing
Cursor returns JSON. Parse with:
python
import json
result = json.loads(cursor_output)
approved = result.get("approved", False)
score = result.get("score", 0)
blocking = result.get("blocking_issues", [])
Error Handling
Timeout
- •Default timeout: 300 seconds
- •On timeout: Retry once with 600 seconds
- •If still fails: Log and continue with warning
Parse Error
- •If output is not valid JSON: Extract any JSON block from output
- •If no JSON found: Treat as failure, request human review
Agent Unavailable
- •If cursor-agent not installed: Skip with warning
- •Log to state.errors
- •Continue workflow (Gemini alone is not sufficient for security)
Integration with Workflow
- •
Phase 2 (Validation):
- •Run in parallel with Gemini
- •Store output in
phase_outputsascursor_feedback - •Weight: 0.8 for security concerns
- •
Phase 4 (Verification):
- •Run in parallel with Gemini
- •Store output in
phase_outputsascursor_review
Examples
bash
cursor-agent --print --output-format json "Review the plan JSON provided in this prompt."
Related Skills
- •
/validate- Plan validation workflow - •
/verify- Code review workflow - •
/resolve-conflict- Merge Cursor and Gemini feedback- •Must approve for workflow to complete
Approval Thresholds
| Phase | Min Score | Blocking Issues |
|---|---|---|
| Validation | 6.0 | None allowed |
| Verification | 7.0 | None allowed |
Example Usage
bash
# From project directory cd projects/my-app # Run validation cursor-agent --print --output-format json "Review the plan JSON provided in this prompt for security..." > cursor-feedback.json # Check result cat cursor-feedback.json | jq '.approved, .score'
Conflict Resolution
When Cursor disagrees with Gemini:
| Issue Type | Resolution |
|---|---|
| Security concern | Cursor wins (weight 0.8) |
| Architecture concern | Gemini wins (weight 0.7) |
| Code quality | Average scores |
| Both blocking | Human escalation |